diff --git a/.gitignore b/.gitignore
index ea93a8e1f091..278d00a93752 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,6 +13,7 @@ __generated__
 .clauderc
 .tmp/
 *.private_ai_docs.md
+.cursor/plans/
 dist
 build-electron
 .next
diff --git a/apps/desktop/app/app.ts b/apps/desktop/app/app.ts
index 11248fbd1e16..9c05a20369da 100644
--- a/apps/desktop/app/app.ts
+++ b/apps/desktop/app/app.ts
@@ -55,7 +55,7 @@ import {
 } from './resoucePath';
 import { initSentry } from './sentry';
 import { startServices } from './service';
-import { setMainWindow } from './service/oauthLocalServer/oauthLocalServer';
+import { setMainWindowForOAuthServer } from './service/oauthLocalServer/oauthLocalServer';
 
 logger.initialize();
 logger.transports.file.maxSize = 1024 * 1024 * 10;
@@ -564,7 +564,7 @@ async function createMainWindow() {
   void browserWindow.loadURL(src);
 
   // Set main window reference for OAuth server
-  setMainWindow(browserWindow);
+  setMainWindowForOAuthServer(browserWindow);
 
   // Protocol handler for win32
   if (isWin || isMac) {
diff --git a/apps/desktop/app/service/appleAuth/appleAuth.ts b/apps/desktop/app/service/appleAuth/appleAuth.ts
new file mode 100644
index 000000000000..ec571575de35
--- /dev/null
+++ b/apps/desktop/app/service/appleAuth/appleAuth.ts
@@ -0,0 +1,80 @@
+/**
+ * Native Apple Sign-In service for macOS Desktop
+ *
+ * Uses the native apple-auth-macos module to perform Apple Sign-In
+ * with system UI (no browser required).
+ */
+
+import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
+
+// eslint-disable-next-line import/no-relative-packages
+import type { IAppleSignInResult } from '../../../native-modules/apple-auth-macos';
+
+// Only load on macOS
+const isMacOS = process.platform === 'darwin';
+
+let appleAuthModule:
+  | typeof import('../../../native-modules/apple-auth-macos')
+  | null = null;
+
+// Lazy load the native module
+function getAppleAuthModule() {
+  if (!isMacOS) {
+    return null;
+  }
+
+  if (!appleAuthModule) {
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-require-imports
+      appleAuthModule = require('../../native-modules/apple-auth-macos');
+    } catch (error) {
+      console.warn(
+        'Failed to load apple-auth-macos:',
+        error instanceof Error ? error.message : error,
+      );
+      return null;
+    }
+  }
+
+  return appleAuthModule;
+}
+
+/**
+ * Check if native Apple Sign-In is available.
+ * Requires macOS 10.15+ and the native module to be built.
+ */
+export function isAppleAuthAvailable(): boolean {
+  const module = getAppleAuthModule();
+  if (!module) {
+    return false;
+  }
+
+  try {
+    return module.isAvailable();
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Perform native Apple Sign-In.
+ *
+ * @returns Promise with identity token and nonce for Supabase
+ * @throws Error if sign-in fails or user cancels
+ */
+export async function signInWithApple(): Promise<IAppleSignInResult> {
+  const module = getAppleAuthModule();
+
+  if (!module) {
+    throw new OneKeyLocalError(
+      'Apple Sign-In native module is not available. ' +
+        'Make sure you are on macOS and the module is built.',
+    );
+  }
+
+  if (!module.isAvailable()) {
+    throw new OneKeyLocalError('Apple Sign-In requires macOS 10.15 or later');
+  }
+
+  return module.signIn();
+}
diff --git a/apps/desktop/app/service/oauthLocalServer/oauthCallbackHtml.ts b/apps/desktop/app/service/oauthLocalServer/oauthCallbackHtml.ts
index df25ae795ce5..95bc19c187da 100644
--- a/apps/desktop/app/service/oauthLocalServer/oauthCallbackHtml.ts
+++ b/apps/desktop/app/service/oauthLocalServer/oauthCallbackHtml.ts
@@ -1,8 +1,8 @@
 /**
- * HTML templates returned by the localhost OAuth callback server (`/callback`).
+ * HTML templates returned by the localhost OAuth callback server (`/oauth_callback_desktop`).
  *
  * Why this exists:
- * - Supabase redirects back to `http://127.0.0.1:<port>/callback` with `code` (and `state`)
+ * - Supabase redirects back to `http://127.0.0.1:<port>/oauth_callback_desktop` with `code` (and `state`)
  *   in the URL query string (PKCE authorization code flow).
  * - We return an HTML page with JS to extract `code`/`state`, then POST them to `/complete`
  *   so the desktop app can validate state (anti-CSRF) and exchange the code for a session.
@@ -10,10 +10,204 @@
  * Note:
  * - Browsers may block `window.close()` unless the tab/window was opened by script.
  *   We still attempt a best-effort close and provide a manual Close button.
+ *
+ * Design tokens used (from Figma):
+ * - Colors: text rgba(0,0,0,0.88), textSubdued rgba(0,0,0,0.61), bgStrong rgba(0,0,0,0.05)
+ * - Font sizes: heading4xl 32px/40px, headingMd 16px/24px semibold, bodyLg 16px/24px
+ * - Spacing: space-6 24px, space-2 8px, space-3.5 14px
+ * - Border radius: radius-2 8px
  */
 
 import { escape as escapeHtml } from 'lodash';
 
+// OneKey logomark SVG (circular version with brand green)
+const ONEKEY_LOGOMARK_SVG = `
+<svg width="48" height="48" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <g clip-path="url(#clip0_23161_477)">
+    <path
+      d="M48 24C48 40.5685 40.5685 48 24 48C7.43146 48 0 40.5685 0 24C0 7.43146 7.43146 0 24 0C40.5685 0 48 7.43146 48 24Z"
+      fill="#44D62C"
+      style="fill:#44D62C;fill:color(display-p3 0.2667 0.8392 0.1725);fill-opacity:1;"
+    />
+    <path
+      d="M26.1685 10.1768L19.4918 10.1768L18.3204 13.7186H22.0288V21.1793H26.1685V10.1768Z"
+      fill="black"
+      style="fill:black;fill-opacity:1;"
+    />
+    <path
+      fill-rule="evenodd"
+      clip-rule="evenodd"
+      d="M31.6146 30.2086C31.6146 34.414 28.2055 37.8231 24.0001 37.8231C19.7948 37.8231 16.3857 34.414 16.3857 30.2086C16.3857 26.0033 19.7948 22.5942 24.0001 22.5942C28.2055 22.5942 31.6146 26.0033 31.6146 30.2086ZM28.1577 30.2086C28.1577 32.5048 26.2963 34.3662 24.0001 34.3662C21.704 34.3662 19.8426 32.5048 19.8426 30.2086C19.8426 27.9124 21.704 26.051 24.0001 26.051C26.2963 26.051 28.1577 27.9124 28.1577 30.2086Z"
+      fill="black"
+      style="fill:black;fill-opacity:1;"
+    />
+  </g>
+  <defs>
+    <clipPath id="clip0_23161_477">
+      <rect
+        width="48"
+        height="48"
+        fill="white"
+        style="fill:white;fill-opacity:1;"
+      />
+    </clipPath>
+  </defs>
+</svg>
+`;
+
+// CSS styles following OneKey design tokens
+const OAUTH_CALLBACK_STYLES = `
+<style>
+  :root {
+    /* Colors - Light theme */
+    --color-bg-app: #ffffff;
+    --color-text: rgba(0, 0, 0, 0.88);
+    --color-text-subdued: rgba(0, 0, 0, 0.61);
+    --color-bg-strong: rgba(0, 0, 0, 0.05);
+    --color-bg-strong-hover: rgba(0, 0, 0, 0.08);
+    --color-bg-strong-active: rgba(0, 0, 0, 0.12);
+    --color-critical: #dc2626;
+    --color-critical-subdued: rgba(220, 38, 38, 0.1);
+
+    /* Spacing */
+    --space-2: 8px;
+    --space-3: 12px;
+    --space-3-5: 14px;
+    --space-6: 24px;
+
+    /* Border radius */
+    --radius-2: 8px;
+
+    /* Typography */
+    --font-family: -apple-system, BlinkMacSystemFont, 'SF Pro Display', 'SF Pro Text', 'Segoe UI', Roboto, sans-serif;
+  }
+
+  @media (prefers-color-scheme: dark) {
+    :root {
+      /* Colors - Dark theme */
+      --color-bg-app: #1a1a1a;
+      --color-text: rgba(255, 255, 255, 0.88);
+      --color-text-subdued: rgba(255, 255, 255, 0.61);
+      --color-bg-strong: rgba(255, 255, 255, 0.08);
+      --color-bg-strong-hover: rgba(255, 255, 255, 0.12);
+      --color-bg-strong-active: rgba(255, 255, 255, 0.16);
+      --color-critical: #f87171;
+      --color-critical-subdued: rgba(248, 113, 113, 0.15);
+    }
+  }
+
+  * {
+    margin: 0;
+    padding: 0;
+    box-sizing: border-box;
+  }
+
+  body {
+    font-family: var(--font-family);
+    background: var(--color-bg-app);
+    -webkit-font-smoothing: antialiased;
+    min-height: 100vh;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+  }
+
+  .container {
+    display: flex;
+    flex-direction: column;
+    gap: var(--space-6);
+    width: 400px;
+    padding: 0 var(--space-6);
+  }
+
+  .logo {
+    width: 48px;
+    height: 48px;
+  }
+
+  .content {
+    display: flex;
+    flex-direction: column;
+    gap: var(--space-2);
+    padding-bottom: 22px;
+  }
+
+  .title {
+    font-size: 32px;
+    font-weight: 600;
+    line-height: 40px;
+    letter-spacing: 0.38px;
+    color: var(--color-text);
+  }
+
+  .title--error {
+    color: var(--color-critical);
+  }
+
+  .subtitle {
+    font-size: 16px;
+    font-weight: 600;
+    line-height: 24px;
+    letter-spacing: -0.32px;
+    color: var(--color-text);
+  }
+
+  .description {
+    font-size: 16px;
+    font-weight: 400;
+    line-height: 24px;
+    letter-spacing: -0.32px;
+    color: var(--color-text-subdued);
+  }
+
+  .button-container {
+    padding-top: var(--space-2);
+  }
+
+  .button {
+    display: inline-flex;
+    align-items: center;
+    justify-content: center;
+    gap: var(--space-2);
+    padding: 7px 15px;
+    background: var(--color-bg-strong);
+    border: 1px solid transparent;
+    border-radius: var(--radius-2);
+    font-family: var(--font-family);
+    font-size: 16px;
+    font-weight: 500;
+    line-height: 24px;
+    letter-spacing: -0.32px;
+    color: var(--color-text);
+    cursor: pointer;
+    transition: background-color 0.15s ease;
+  }
+
+  .button:hover {
+    background: var(--color-bg-strong-hover);
+  }
+
+  .button:active {
+    background: var(--color-bg-strong-active);
+  }
+
+  .error-box {
+    background: var(--color-critical-subdued);
+    border-radius: var(--radius-2);
+    padding: var(--space-3);
+    margin-top: var(--space-2);
+  }
+
+  .error-message {
+    font-size: 14px;
+    font-weight: 400;
+    line-height: 20px;
+    color: var(--color-critical);
+    word-break: break-word;
+  }
+</style>
+`;
+
 const OAUTH_CALLBACK_CLOSE_SCRIPT = `
   function clearUrlHash() {
     try {
@@ -32,17 +226,29 @@ const OAUTH_CALLBACK_CLOSE_SCRIPT = `
 export const OAUTH_CALLBACK_ERROR_HTML = (
   errorMessage: string,
 ) => `<!DOCTYPE html>
-<html>
+<html lang="en">
   <head>
     <title>Login Failed</title>
     <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    ${OAUTH_CALLBACK_STYLES}
   </head>
-  <body style="font-family: system-ui, -apple-system, sans-serif; text-align: center; padding: 50px; background: #f5f5f5;">
-    <div style="background: white; padding: 40px; border-radius: 12px; box-shadow: 0 2px 8px rgba(0,0,0,0.1); max-width: 400px; margin: 0 auto;">
-      <h1 style="color: #d32f2f; margin-bottom: 16px;">Login Failed</h1>
-      <p style="color: #666;">Error: ${escapeHtml(errorMessage)}</p>
-      <p style="color: #999; font-size: 12px; margin-top: 24px;">This tab may not close automatically due to browser restrictions. You can safely close it.</p>
-      <button id="closeBtn" onclick="tryClose()" style="margin-top: 16px; padding: 10px 16px; border: 0; border-radius: 8px; background: #111; color: #fff; cursor: pointer;">Close</button>
+  <body>
+    <div class="container">
+      <div class="logo">
+        ${ONEKEY_LOGOMARK_SVG}
+      </div>
+      <div class="content">
+        <h1 class="title title--error">Login failed</h1>
+        <p class="subtitle">Something went wrong during login.</p>
+        <div class="error-box">
+          <p class="error-message">${escapeHtml(errorMessage)}</p>
+        </div>
+        <p class="description">Click the button below if this window does not close automatically.</p>
+        <div class="button-container">
+          <button class="button" id="closeBtn" onclick="tryClose()">Close window</button>
+        </div>
+      </div>
     </div>
     <script>
       ${OAUTH_CALLBACK_CLOSE_SCRIPT}
@@ -55,17 +261,26 @@ export const OAUTH_CALLBACK_ERROR_HTML = (
 `;
 
 export const OAUTH_CALLBACK_SUCCESS_HTML = `<!DOCTYPE html>
-<html>
+<html lang="en">
   <head>
     <title>Login Successful</title>
     <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    ${OAUTH_CALLBACK_STYLES}
   </head>
-  <body style="font-family: system-ui, -apple-system, sans-serif; text-align: center; padding: 50px; background: #f5f5f5;">
-    <div style="background: white; padding: 40px; border-radius: 12px; box-shadow: 0 2px 8px rgba(0,0,0,0.1); max-width: 400px; margin: 0 auto;">
-      <h1 style="color: #1a1a1a; margin-bottom: 16px;">Login Successful!</h1>
-      <p style="color: #666; margin-bottom: 24px;">You can close this window and return to OneKey.</p>
-      <div style="color: #999; font-size: 12px;">This tab may not close automatically due to browser restrictions. You can safely close it.</div>
-      <button id="closeBtn" onclick="tryClose()" style="margin-top: 16px; padding: 10px 16px; border: 0; border-radius: 8px; background: #111; color: #fff; cursor: pointer;">Close</button>
+  <body>
+    <div class="container">
+      <div class="logo">
+        ${ONEKEY_LOGOMARK_SVG}
+      </div>
+      <div class="content">
+        <h1 class="title">Login successful</h1>
+        <p class="subtitle">You can close this window and return to OneKey.</p>
+        <p class="description">Click the button below if this window does not close automatically.</p>
+        <div class="button-container">
+          <button class="button" id="closeBtn" onclick="tryClose()">Close window</button>
+        </div>
+      </div>
     </div>
     <script>
       ${OAUTH_CALLBACK_CLOSE_SCRIPT}
@@ -74,6 +289,7 @@ export const OAUTH_CALLBACK_SUCCESS_HTML = `<!DOCTYPE html>
       const urlParams = new URLSearchParams(window.location.search);
       const code = urlParams.get('code');
       const state = urlParams.get('state');
+      const oneKeyState = urlParams.get('onekey_oauth_state');
       // Clear URL query ASAP to avoid leaking code in the address bar.
       try {
         history.replaceState(null, document.title, window.location.pathname);
@@ -84,7 +300,7 @@ export const OAUTH_CALLBACK_SUCCESS_HTML = `<!DOCTYPE html>
         fetch('/complete', {
           method: 'POST',
           headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify({ code, state }),
+          body: JSON.stringify({ code, state, oneKeyState }),
         }).then(() => {
           setTimeout(tryClose, 1500);
         }).catch(() => {
diff --git a/apps/desktop/app/service/oauthLocalServer/oauthLocalServer.ts b/apps/desktop/app/service/oauthLocalServer/oauthLocalServer.ts
index b5819b0ce8f5..30081f6ae750 100644
--- a/apps/desktop/app/service/oauthLocalServer/oauthLocalServer.ts
+++ b/apps/desktop/app/service/oauthLocalServer/oauthLocalServer.ts
@@ -5,6 +5,7 @@ import { app, shell } from 'electron';
 
 import {
   OAUTH_CALLBACK_DESKTOP_CHANNEL,
+  OAUTH_CALLBACK_DESKTOP_PATH,
   OAUTH_POPUP_HEIGHT,
   OAUTH_POPUP_WIDTH,
 } from '@onekeyhq/shared/src/consts/authConsts';
@@ -22,7 +23,7 @@ let oauthServer: Server | null = null;
 // Get main window reference (will be set from app.ts)
 let mainWindow: BrowserWindow | null = null;
 
-export function setMainWindow(window: BrowserWindow | null) {
+export function setMainWindowForOAuthServer(window: BrowserWindow | null) {
   mainWindow = window;
 }
 
@@ -159,24 +160,6 @@ function tryOpenChromeAppWindow(url: string): boolean {
   return false;
 }
 
-// Fixed port range for OAuth callback
-// Web Application type requires explicit port configuration in Google Cloud Console
-// These ports must be added to Authorized redirect URIs:
-// http://localhost:19185/callback
-// http://localhost:19285/callback
-// http://localhost:19385/callback
-// http://localhost:19485/callback
-// http://localhost:19585/callback
-// http://127.0.0.1:19185/callback
-// http://127.0.0.1:19285/callback
-// http://127.0.0.1:19385/callback
-// http://127.0.0.1:19485/callback
-// http://127.0.0.1:19585/callback
-const OAUTH_PORTS = [
-  19_185, 19_285, 19_385, 19_485, 19_585,
-  //
-];
-
 // Export functions for DesktopApiOAuth to use
 export async function startOAuthServer(): Promise<{ port: number }> {
   return new Promise((resolve, reject) => {
@@ -186,101 +169,85 @@ export async function startOAuthServer(): Promise<{ port: number }> {
       oauthServer = null;
     }
 
-    // Try each port in sequence until one is available
-    let portIndex = 0;
-    const startIndex = Math.floor(Math.random() * OAUTH_PORTS.length);
-
-    const tryStartServer = (): void => {
-      if (portIndex >= OAUTH_PORTS.length) {
-        reject(new Error('All OAuth ports are occupied'));
-        return;
-      }
-
-      const port = OAUTH_PORTS[(startIndex + portIndex) % OAUTH_PORTS.length];
-      oauthServer = createServer((req, res) => {
-        const url = new URL(req.url || '/', 'http://localhost');
-
-        // Handle callback from OAuth (Supabase redirects back to localhost with authorization code in URL query)
-        if (url.pathname === '/callback') {
-          // PKCE flow: authorization code is in URL query string (not hash)
-          const error = url.searchParams.get('error');
+    oauthServer = createServer((req, res) => {
+      const url = new URL(req.url || '/', 'http://localhost');
 
-          if (error) {
-            // OAuth error occurred
-            res.writeHead(200, {
-              'Content-Type': 'text/html; charset=utf-8',
-            });
-            res.end(OAUTH_CALLBACK_ERROR_HTML(error));
-            return;
-          }
+      // Handle callback from OAuth (Supabase redirects back to localhost with authorization code in URL query)
+      if (url.pathname === OAUTH_CALLBACK_DESKTOP_PATH) {
+        // PKCE flow: authorization code is in URL query string (not hash)
+        const error = url.searchParams.get('error');
 
-          // Return HTML page that extracts code from URL query and sends to server
+        if (error) {
+          // OAuth error occurred
           res.writeHead(200, {
             'Content-Type': 'text/html; charset=utf-8',
           });
-          res.end(OAUTH_CALLBACK_SUCCESS_HTML);
-        } else if (url.pathname === '/complete' && req.method === 'POST') {
-          // Receive authorization code from browser JS
-          let body = '';
-          req.on('data', (chunk) => {
-            body += (chunk as Buffer).toString();
-          });
-          req.on('end', () => {
-            try {
-              const { code, state } = JSON.parse(body) as {
-                code: string;
-                state?: string;
-              };
-
-              if (code && mainWindow && !mainWindow.isDestroyed()) {
-                // Send authorization code to renderer process
-                mainWindow.webContents.send(OAUTH_CALLBACK_DESKTOP_CHANNEL, {
-                  code,
-                  state,
-                });
-              }
-
-              res.writeHead(200, { 'Content-Type': 'text/plain' });
-              res.end('OK');
-
-              // Close server after receiving callback
-              setTimeout(() => {
-                oauthServer?.close();
-                oauthServer = null;
-              }, 1000);
-            } catch (error) {
-              res.writeHead(400, { 'Content-Type': 'text/plain' });
-              res.end('Invalid request');
-            }
-          });
-        } else {
-          // 404 for other paths
-          res.writeHead(404, { 'Content-Type': 'text/plain' });
-          res.end('Not Found');
+          res.end(OAUTH_CALLBACK_ERROR_HTML(error));
+          return;
         }
-      });
 
-      // Try to listen on the current port
-      oauthServer.listen(port, '127.0.0.1', () => {
-        resolve({ port });
-      });
+        // Return HTML page that extracts code from URL query and sends to server
+        res.writeHead(200, {
+          'Content-Type': 'text/html; charset=utf-8',
+        });
+        res.end(OAUTH_CALLBACK_SUCCESS_HTML);
+      } else if (url.pathname === '/complete' && req.method === 'POST') {
+        // Receive authorization code from browser JS
+        let body = '';
+        req.on('data', (chunk) => {
+          body += (chunk as Buffer).toString();
+        });
+        req.on('end', () => {
+          try {
+            const { code, state, oneKeyState } = JSON.parse(body) as {
+              code: string;
+              state?: string;
+              oneKeyState?: string;
+            };
+
+            if (code && mainWindow && !mainWindow.isDestroyed()) {
+              // Send authorization code to renderer process
+              mainWindow.webContents.send(OAUTH_CALLBACK_DESKTOP_CHANNEL, {
+                code,
+                state,
+                oneKeyState,
+              });
+            }
 
-      // eslint-disable-next-line spellcheck/spell-checker
-      oauthServer.on('error', (error: NodeJS.ErrnoException) => {
-        // If port is in use, try next port
-        if (error.code === 'EADDRINUSE') {
-          oauthServer?.close();
-          oauthServer = null;
-          portIndex += 1;
-          tryStartServer();
-        } else {
-          reject(error);
-        }
-      });
-    };
+            res.writeHead(200, { 'Content-Type': 'text/plain' });
+            res.end('OK');
+
+            // Close server after receiving callback
+            setTimeout(() => {
+              oauthServer?.close();
+              oauthServer = null;
+            }, 1000);
+          } catch (error) {
+            res.writeHead(400, { 'Content-Type': 'text/plain' });
+            res.end('Invalid request');
+          }
+        });
+      } else {
+        // 404 for other paths
+        res.writeHead(404, { 'Content-Type': 'text/plain' });
+        res.end('Not Found');
+      }
+    });
+
+    // Use listen(0) to let the system automatically assign an available port
+    oauthServer.listen(0, '127.0.0.1', () => {
+      const address = oauthServer?.address();
+      if (address && typeof address === 'object' && address.port) {
+        resolve({ port: address.port });
+      } else {
+        reject(new Error('Failed to get assigned port from server'));
+      }
+    });
 
-    // Start trying ports
-    tryStartServer();
+    // eslint-disable-next-line spellcheck/spell-checker
+    oauthServer.on('error', (error: NodeJS.ErrnoException) => {
+      reject(error);
+    });
 
     // Auto-close server after 5 minutes timeout
     setTimeout(() => {
diff --git a/apps/desktop/native-modules/apple-auth-macos/README.md b/apps/desktop/native-modules/apple-auth-macos/README.md
new file mode 100644
index 000000000000..991bc611f408
--- /dev/null
+++ b/apps/desktop/native-modules/apple-auth-macos/README.md
@@ -0,0 +1,81 @@
+# apple-auth-macos
+
+Native Apple Sign-In for macOS Electron apps.
+
+## Requirements
+
+- macOS 10.15 (Catalina) or later
+- Xcode Command Line Tools
+- Node.js with node-gyp
+
+## Build
+
+```bash
+cd apps/desktop/native-modules/apple-auth-macos
+npm install
+npm run build
+```
+
+Or from project root:
+
+```bash
+node apps/desktop/development/build_apple_auth.js
+```
+
+## Usage
+
+```javascript
+const appleAuth = require('./native-modules/apple-auth-macos');
+
+// Check availability
+if (appleAuth.isAvailable()) {
+  try {
+    const result = await appleAuth.signIn();
+    console.log('Identity Token:', result.identityToken);
+    console.log('Raw Nonce:', result.rawNonce);
+
+    // Use with Supabase
+    const { data, error } = await supabase.auth.signInWithIdToken({
+      provider: 'apple',
+      token: result.identityToken,
+      nonce: result.rawNonce,
+    });
+  } catch (error) {
+    if (error.message.includes('cancelled')) {
+      console.log('User cancelled');
+    } else {
+      console.error('Sign-in failed:', error);
+    }
+  }
+}
+```
+
+## API
+
+### `isAvailable(): boolean`
+
+Check if Apple Sign-In is available on this system.
+
+### `signIn(): Promise<AppleSignInResult>`
+
+Perform Apple Sign-In. Returns:
+
+```typescript
+interface AppleSignInResult {
+  identityToken: string;    // JWT to send to Supabase
+  authorizationCode?: string;
+  user: string;             // Apple user ID
+  email?: string;           // Only on first sign-in
+  fullName?: string;        // Only on first sign-in
+  rawNonce: string;         // For Supabase nonce validation
+}
+```
+
+## Important Notes
+
+1. **Supabase Configuration**: Make sure your Supabase Apple provider has the correct bundle ID configured in "Client ID(s)".
+
+2. **App Signing**: For production, the app must be properly signed with Apple Developer certificate and have the "Sign in with Apple" capability.
+
+3. **First Sign-In**: Email and full name are only provided on the user's first sign-in with your app. Store them if needed.
+
diff --git a/apps/desktop/native-modules/apple-auth-macos/binding.gyp b/apps/desktop/native-modules/apple-auth-macos/binding.gyp
new file mode 100644
index 000000000000..511de940e2f9
--- /dev/null
+++ b/apps/desktop/native-modules/apple-auth-macos/binding.gyp
@@ -0,0 +1,30 @@
+{
+  "targets": [
+    {
+      "target_name": "apple_auth",
+      "conditions": [
+        ["OS=='mac'", {
+          "sources": [
+            "src/apple_auth.mm"
+          ],
+          "include_dirs": [
+            "<!@(node -p \"require('node-addon-api').include\")"
+          ],
+          "defines": [
+            "NAPI_DISABLE_CPP_EXCEPTIONS"
+          ],
+          "xcode_settings": {
+            "CLANG_CXX_LANGUAGE_STANDARD": "c++17",
+            "MACOSX_DEPLOYMENT_TARGET": "10.15",
+            "OTHER_LDFLAGS": [
+              "-framework AuthenticationServices",
+              "-framework Foundation",
+              "-framework AppKit"
+            ]
+          }
+        }]
+      ]
+    }
+  ]
+}
+
diff --git a/apps/desktop/native-modules/apple-auth-macos/index.d.ts b/apps/desktop/native-modules/apple-auth-macos/index.d.ts
new file mode 100644
index 000000000000..6beb83747679
--- /dev/null
+++ b/apps/desktop/native-modules/apple-auth-macos/index.d.ts
@@ -0,0 +1,33 @@
+/**
+ * Native Apple Sign-In for macOS Electron apps
+ */
+
+export interface IAppleSignInResult {
+  /** JWT identity token to send to Supabase signInWithIdToken */
+  identityToken: string;
+  /** Authorization code (for server-side validation) */
+  authorizationCode?: string;
+  /** Apple user identifier (stable across sign-ins) */
+  user: string;
+  /** User's email (only provided on first sign-in) */
+  email?: string;
+  /** User's full name (only provided on first sign-in) */
+  fullName?: string;
+  /** Raw nonce for Supabase validation */
+  rawNonce: string;
+}
+
+/**
+ * Check if Apple Sign-In is available.
+ * Requires macOS 10.15 (Catalina) or later.
+ * @returns True if available
+ */
+export function isAvailable(): boolean;
+
+/**
+ * Perform Apple Sign-In.
+ * Shows native Apple Sign-In dialog and returns identity token.
+ * @returns Promise resolving with sign-in result
+ * @throws Error if sign-in fails or user cancels
+ */
+export function signIn(): Promise<IAppleSignInResult>;
diff --git a/apps/desktop/native-modules/apple-auth-macos/index.js b/apps/desktop/native-modules/apple-auth-macos/index.js
new file mode 100644
index 000000000000..e20a1eada433
--- /dev/null
+++ b/apps/desktop/native-modules/apple-auth-macos/index.js
@@ -0,0 +1,76 @@
+/**
+ * Native Apple Sign-In for macOS Electron apps
+ *
+ * Usage:
+ *   const appleAuth = require('apple-auth-macos');
+ *
+ *   if (appleAuth.isAvailable()) {
+ *     const result = await appleAuth.signIn();
+ *     console.log(result.identityToken); // JWT to send to Supabase
+ *   }
+ */
+
+// Only load native module on macOS
+const isMacOS = process.platform === 'darwin';
+
+let nativeModule = null;
+
+if (isMacOS) {
+  try {
+    // Try to load the native module
+    // In development: from build/Release/
+    // In production: from the app bundle
+    nativeModule = require('./build/Release/apple_auth.node');
+  } catch (error) {
+    console.warn(
+      'Failed to load apple-auth-macos native module:',
+      error.message,
+    );
+  }
+}
+
+/**
+ * Check if Apple Sign-In is available.
+ * @returns {boolean} True if available (macOS 10.15+)
+ */
+function isAvailable() {
+  if (!isMacOS || !nativeModule) {
+    return false;
+  }
+  try {
+    return nativeModule.isAvailable();
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Perform Apple Sign-In.
+ * @returns {Promise<{
+ *   identityToken: string,
+ *   authorizationCode?: string,
+ *   user: string,
+ *   email?: string,
+ *   fullName?: string,
+ *   rawNonce: string
+ * }>}
+ * @throws {Error} If sign-in fails or is cancelled
+ */
+async function signIn() {
+  if (!isMacOS) {
+    throw new Error('Apple Sign-In is only available on macOS');
+  }
+  if (!nativeModule) {
+    throw new Error('Apple Sign-In native module not loaded');
+  }
+  if (!isAvailable()) {
+    throw new Error('Apple Sign-In requires macOS 10.15 or later');
+  }
+
+  return nativeModule.signIn();
+}
+
+module.exports = {
+  isAvailable,
+  signIn,
+};
diff --git a/apps/desktop/native-modules/apple-auth-macos/package.json b/apps/desktop/native-modules/apple-auth-macos/package.json
new file mode 100644
index 000000000000..2f68ae587081
--- /dev/null
+++ b/apps/desktop/native-modules/apple-auth-macos/package.json
@@ -0,0 +1,16 @@
+{
+  "name": "apple-auth-macos",
+  "version": "1.0.0",
+  "description": "Native Apple Sign-In for macOS Electron apps",
+  "main": "index.js",
+  "private": true,
+  "scripts": {
+    "build": "node-gyp rebuild",
+    "clean": "node-gyp clean"
+  },
+  "dependencies": {
+    "node-addon-api": "^7.0.0"
+  },
+  "gypfile": true
+}
+
diff --git a/apps/desktop/native-modules/apple-auth-macos/src/apple_auth.mm b/apps/desktop/native-modules/apple-auth-macos/src/apple_auth.mm
new file mode 100644
index 000000000000..cbb46295dbee
--- /dev/null
+++ b/apps/desktop/native-modules/apple-auth-macos/src/apple_auth.mm
@@ -0,0 +1,317 @@
+/**
+ * Native Apple Sign-In for macOS Electron apps
+ *
+ * Uses ASAuthorizationController from AuthenticationServices framework
+ * to perform native Apple Sign-In and return the identity token.
+ *
+ * Reference:
+ * - https://developer.apple.com/documentation/authenticationservices/asauthorizationcontroller
+ * - https://developer.apple.com/documentation/authenticationservices/asauthorizationappleidprovider
+ */
+
+#import <napi.h>
+#import <AuthenticationServices/AuthenticationServices.h>
+#import <Foundation/Foundation.h>
+#import <AppKit/AppKit.h>
+#import <CommonCrypto/CommonCrypto.h>
+
+// ============================================================================
+// Helper Functions
+// ============================================================================
+
+// Helper: Generate SHA256 hash of a string (for nonce)
+static NSString* sha256(NSString* input) {
+    const char* str = [input UTF8String];
+    unsigned char hash[CC_SHA256_DIGEST_LENGTH];
+    CC_SHA256(str, (CC_LONG)strlen(str), hash);
+
+    NSMutableString* output = [NSMutableString stringWithCapacity:CC_SHA256_DIGEST_LENGTH * 2];
+    for (int i = 0; i < CC_SHA256_DIGEST_LENGTH; i++) {
+        [output appendFormat:@"%02x", hash[i]];
+    }
+    return output;
+}
+
+// Helper: Generate a random nonce string
+static NSString* generateNonce(int length) {
+    NSMutableString* nonce = [NSMutableString stringWithCapacity:length];
+    NSString* chars = @"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvwxyz-._";
+    for (int i = 0; i < length; i++) {
+        uint32_t index = arc4random_uniform((uint32_t)[chars length]);
+        [nonce appendFormat:@"%C", [chars characterAtIndex:index]];
+    }
+    return nonce;
+}
+
+// ============================================================================
+// Result Data Structure (thread-safe, plain C++ data)
+// ============================================================================
+
+struct AppleAuthResult {
+    bool success;
+    std::string errorMessage;
+    std::string identityToken;
+    std::string authorizationCode;
+    std::string user;
+    std::string email;
+    std::string fullName;
+    std::string rawNonce;
+};
+
+// ============================================================================
+// Delegate class for ASAuthorizationController
+// ============================================================================
+
+API_AVAILABLE(macos(10.15))
+@interface AppleAuthDelegate : NSObject <ASAuthorizationControllerDelegate, ASAuthorizationControllerPresentationContextProviding>
+@property (nonatomic, copy) void (^completionHandler)(AppleAuthResult result);
+@property (nonatomic, strong) NSString* rawNonce;
+@end
+
+@implementation AppleAuthDelegate
+
+- (ASPresentationAnchor)presentationAnchorForAuthorizationController:(ASAuthorizationController *)controller API_AVAILABLE(macos(10.15)) {
+    // Return the key window as presentation anchor
+    return [[NSApplication sharedApplication] keyWindow] ?: [[NSApplication sharedApplication] mainWindow];
+}
+
+- (void)authorizationController:(ASAuthorizationController *)controller
+   didCompleteWithAuthorization:(ASAuthorization *)authorization API_AVAILABLE(macos(10.15)) {
+    AppleAuthResult result = {};
+    result.success = false;
+
+    if ([authorization.credential isKindOfClass:[ASAuthorizationAppleIDCredential class]]) {
+        ASAuthorizationAppleIDCredential* credential = (ASAuthorizationAppleIDCredential*)authorization.credential;
+
+        result.success = true;
+
+        if (credential.identityToken) {
+            NSString* token = [[NSString alloc] initWithData:credential.identityToken encoding:NSUTF8StringEncoding];
+            if (token) {
+                result.identityToken = [token UTF8String];
+            }
+        }
+
+        if (credential.authorizationCode) {
+            NSString* code = [[NSString alloc] initWithData:credential.authorizationCode encoding:NSUTF8StringEncoding];
+            if (code) {
+                result.authorizationCode = [code UTF8String];
+            }
+        }
+
+        if (credential.user) {
+            result.user = [credential.user UTF8String];
+        }
+
+        if (credential.email) {
+            result.email = [credential.email UTF8String];
+        }
+
+        if (credential.fullName) {
+            NSPersonNameComponentsFormatter* formatter = [[NSPersonNameComponentsFormatter alloc] init];
+            formatter.style = NSPersonNameComponentsFormatterStyleDefault;
+            NSString* fullName = [formatter stringFromPersonNameComponents:credential.fullName];
+            if (fullName && [fullName length] > 0) {
+                result.fullName = [fullName UTF8String];
+            }
+        }
+
+        if (self.rawNonce) {
+            result.rawNonce = [self.rawNonce UTF8String];
+        }
+    } else {
+        result.errorMessage = "Unknown credential type";
+    }
+
+    if (self.completionHandler) {
+        self.completionHandler(result);
+    }
+}
+
+- (void)authorizationController:(ASAuthorizationController *)controller
+           didCompleteWithError:(NSError *)error API_AVAILABLE(macos(10.15)) {
+    AppleAuthResult result = {};
+    result.success = false;
+
+    if (error.code == ASAuthorizationErrorCanceled) {
+        result.errorMessage = "User cancelled Apple Sign-In";
+    } else {
+        result.errorMessage = [[NSString stringWithFormat:@"Apple Sign-In failed: %@", error.localizedDescription] UTF8String];
+    }
+
+    if (self.completionHandler) {
+        self.completionHandler(result);
+    }
+}
+
+@end
+
+// ============================================================================
+// Async Worker for Apple Sign-In
+// ============================================================================
+
+class AppleSignInWorker : public Napi::AsyncWorker {
+public:
+    AppleSignInWorker(Napi::Env env, Napi::Promise::Deferred deferred)
+        : Napi::AsyncWorker(env), deferred_(deferred) {}
+
+    void Execute() override {
+        // This runs in a worker thread, but we need to call Apple APIs on main thread
+        // So we use dispatch_sync to run on main thread and wait for result
+        
+        if (@available(macOS 10.15, *)) {
+            __block AppleAuthResult blockResult = {};
+            __block bool completed = false;
+            __block NSCondition* condition = [[NSCondition alloc] init];
+            
+            // Generate nonce
+            NSString* rawNonce = generateNonce(32);
+            NSString* hashedNonce = sha256(rawNonce);
+            
+            dispatch_async(dispatch_get_main_queue(), ^{
+                // Create Apple ID provider and request
+                ASAuthorizationAppleIDProvider* provider = [[ASAuthorizationAppleIDProvider alloc] init];
+                ASAuthorizationAppleIDRequest* request = [provider createRequest];
+                request.requestedScopes = @[ASAuthorizationScopeFullName, ASAuthorizationScopeEmail];
+                request.nonce = hashedNonce;
+
+                // Create authorization controller
+                ASAuthorizationController* controller = [[ASAuthorizationController alloc]
+                    initWithAuthorizationRequests:@[request]];
+
+                // Create delegate
+                AppleAuthDelegate* delegate = [[AppleAuthDelegate alloc] init];
+                delegate.rawNonce = rawNonce;
+                
+                // Store delegate to prevent deallocation
+                static AppleAuthDelegate* gDelegate = nil;
+                gDelegate = delegate;
+                
+                delegate.completionHandler = ^(AppleAuthResult res) {
+                    [condition lock];
+                    blockResult = res;
+                    completed = true;
+                    [condition signal];
+                    [condition unlock];
+                    gDelegate = nil; // Release delegate
+                };
+
+                controller.delegate = delegate;
+                controller.presentationContextProvider = delegate;
+
+                // Perform authorization request
+                [controller performRequests];
+            });
+            
+            // Wait for completion (with timeout)
+            [condition lock];
+            NSDate* timeout = [NSDate dateWithTimeIntervalSinceNow:300]; // 5 minutes
+            while (!completed) {
+                if (![condition waitUntilDate:timeout]) {
+                    // Timeout
+                    blockResult.success = false;
+                    blockResult.errorMessage = "Apple Sign-In timed out";
+                    break;
+                }
+            }
+            [condition unlock];
+            
+            result_ = blockResult;
+        } else {
+            result_.success = false;
+            result_.errorMessage = "Apple Sign-In requires macOS 10.15 or later";
+        }
+    }
+
+    void OnOK() override {
+        Napi::Env env = Env();
+        
+        if (result_.success) {
+            Napi::Object obj = Napi::Object::New(env);
+            obj.Set("identityToken", Napi::String::New(env, result_.identityToken));
+            
+            if (!result_.authorizationCode.empty()) {
+                obj.Set("authorizationCode", Napi::String::New(env, result_.authorizationCode));
+            }
+            if (!result_.user.empty()) {
+                obj.Set("user", Napi::String::New(env, result_.user));
+            }
+            if (!result_.email.empty()) {
+                obj.Set("email", Napi::String::New(env, result_.email));
+            }
+            if (!result_.fullName.empty()) {
+                obj.Set("fullName", Napi::String::New(env, result_.fullName));
+            }
+            if (!result_.rawNonce.empty()) {
+                obj.Set("rawNonce", Napi::String::New(env, result_.rawNonce));
+            }
+            
+            deferred_.Resolve(obj);
+        } else {
+            deferred_.Reject(Napi::Error::New(env, result_.errorMessage).Value());
+        }
+    }
+
+    void OnError(const Napi::Error& e) override {
+        deferred_.Reject(e.Value());
+    }
+
+private:
+    Napi::Promise::Deferred deferred_;
+    AppleAuthResult result_;
+};
+
+// ============================================================================
+// N-API Functions
+// ============================================================================
+
+/**
+ * Check if Apple Sign-In is available on this system.
+ * Requires macOS 10.15 (Catalina) or later.
+ */
+Napi::Boolean IsAvailable(const Napi::CallbackInfo& info) {
+    Napi::Env env = info.Env();
+
+    if (@available(macOS 10.15, *)) {
+        return Napi::Boolean::New(env, true);
+    }
+    return Napi::Boolean::New(env, false);
+}
+
+/**
+ * Perform Apple Sign-In and return identity token.
+ *
+ * Returns a Promise that resolves with:
+ * {
+ *   identityToken: string,    // JWT token to send to Supabase
+ *   authorizationCode: string,
+ *   user: string,             // Apple user ID
+ *   email: string | null,     // Only on first sign-in
+ *   fullName: string | null,  // Only on first sign-in
+ *   rawNonce: string          // Raw nonce for Supabase validation
+ * }
+ *
+ * Or rejects with an error.
+ */
+Napi::Value SignIn(const Napi::CallbackInfo& info) {
+    Napi::Env env = info.Env();
+    Napi::Promise::Deferred deferred = Napi::Promise::Deferred::New(env);
+
+    if (@available(macOS 10.15, *)) {
+        AppleSignInWorker* worker = new AppleSignInWorker(env, deferred);
+        worker->Queue();
+    } else {
+        deferred.Reject(Napi::Error::New(env, "Apple Sign-In requires macOS 10.15 or later").Value());
+    }
+
+    return deferred.Promise();
+}
+
+// Module initialization
+Napi::Object Init(Napi::Env env, Napi::Object exports) {
+    exports.Set("isAvailable", Napi::Function::New(env, IsAvailable));
+    exports.Set("signIn", Napi::Function::New(env, SignIn));
+    return exports;
+}
+
+NODE_API_MODULE(apple_auth, Init)
diff --git a/apps/ext/src/manifest/chrome.js b/apps/ext/src/manifest/chrome.js
index 0362b34824fb..27b16d02cee1 100644
--- a/apps/ext/src/manifest/chrome.js
+++ b/apps/ext/src/manifest/chrome.js
@@ -63,6 +63,7 @@ module.exports = {
     '*://*.onekeycn.com/*',
     '*://*.onekeytest.com/*',
     // '*://*.eth/',
+    'identity',
     'storage',
     'unlimitedStorage',
     'webRequest',
diff --git a/apps/ext/src/manifest/chrome_v3.js b/apps/ext/src/manifest/chrome_v3.js
index d8b3edf6a29a..ef365ea3660b 100644
--- a/apps/ext/src/manifest/chrome_v3.js
+++ b/apps/ext/src/manifest/chrome_v3.js
@@ -111,6 +111,7 @@ module.exports = {
     // '*://*.onekeycn.com/*',
     // '*://*.onekeytest.com/*',
     // '*://*.eth/',
+    'identity',
     'activeTab',
     'storage',
     'unlimitedStorage',
diff --git a/apps/mobile/ios/OneKeyWallet.xcodeproj/project.pbxproj b/apps/mobile/ios/OneKeyWallet.xcodeproj/project.pbxproj
index e643666eb868..9428fa709739 100644
--- a/apps/mobile/ios/OneKeyWallet.xcodeproj/project.pbxproj
+++ b/apps/mobile/ios/OneKeyWallet.xcodeproj/project.pbxproj
@@ -306,10 +306,14 @@
 				LastUpgradeCheck = 1130;
 				TargetAttributes = {
 					13B07F861A680F5B00A75B9A = {
+						DevelopmentTeam = BVJ3FU5H2K;
 						LastSwiftMigration = 1250;
+						ProvisioningStyle = Automatic;
 					};
 					C274DABC2AE2644400755275 = {
 						CreatedOnToolsVersion = 14.3.1;
+						DevelopmentTeam = BVJ3FU5H2K;
+						ProvisioningStyle = Automatic;
 					};
 				};
 			};
@@ -483,6 +487,7 @@
 			);
 			inputPaths = (
 				"${PODS_ROOT}/Target Support Files/Pods-OneKeyWallet/Pods-OneKeyWallet-resources.sh",
+				"${PODS_CONFIGURATION_BUILD_DIR}/AppAuth/AppAuthCore_Privacy.bundle",
 				"${PODS_CONFIGURATION_BUILD_DIR}/CocoaLumberjack/CocoaLumberjackPrivacy.bundle",
 				"${PODS_CONFIGURATION_BUILD_DIR}/EXApplication/ExpoApplication_privacy.bundle",
 				"${PODS_CONFIGURATION_BUILD_DIR}/EXConstants/EXConstants.bundle",
@@ -491,6 +496,11 @@
 				"${PODS_CONFIGURATION_BUILD_DIR}/ExpoDevice/ExpoDevice_privacy.bundle",
 				"${PODS_CONFIGURATION_BUILD_DIR}/ExpoFileSystem/ExpoFileSystem_privacy.bundle",
 				"${PODS_CONFIGURATION_BUILD_DIR}/ExpoLocalization/ExpoLocalization_privacy.bundle",
+				"${PODS_CONFIGURATION_BUILD_DIR}/GTMAppAuth/GTMAppAuth_Privacy.bundle",
+				"${PODS_CONFIGURATION_BUILD_DIR}/GTMSessionFetcher/GTMSessionFetcher_Core_Privacy.bundle",
+				"${PODS_CONFIGURATION_BUILD_DIR}/GoogleSignIn/GoogleSignIn.bundle",
+				"${PODS_CONFIGURATION_BUILD_DIR}/GoogleUtilities/GoogleUtilities_Privacy.bundle",
+				"${PODS_CONFIGURATION_BUILD_DIR}/PromisesObjC/FBLPromises_Privacy.bundle",
 				"${PODS_CONFIGURATION_BUILD_DIR}/PurchasesHybridCommon/PurchasesHybridCommon.bundle",
 				"${PODS_CONFIGURATION_BUILD_DIR}/RCT-Folly/RCT-Folly_privacy.bundle",
 				"${PODS_CONFIGURATION_BUILD_DIR}/RNCAsyncStorage/RNCAsyncStorage_resources.bundle",
@@ -514,6 +524,7 @@
 			);
 			name = "[CP] Copy Pods Resources";
 			outputPaths = (
+				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/AppAuthCore_Privacy.bundle",
 				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/CocoaLumberjackPrivacy.bundle",
 				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/ExpoApplication_privacy.bundle",
 				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/EXConstants.bundle",
@@ -522,6 +533,11 @@
 				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/ExpoDevice_privacy.bundle",
 				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/ExpoFileSystem_privacy.bundle",
 				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/ExpoLocalization_privacy.bundle",
+				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/GTMAppAuth_Privacy.bundle",
+				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/GTMSessionFetcher_Core_Privacy.bundle",
+				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/GoogleSignIn.bundle",
+				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/GoogleUtilities_Privacy.bundle",
+				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/FBLPromises_Privacy.bundle",
 				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/PurchasesHybridCommon.bundle",
 				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/RCT-Folly_privacy.bundle",
 				"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/RNCAsyncStorage_resources.bundle",
@@ -622,9 +638,9 @@
 				CODE_SIGN_ENTITLEMENTS = OneKeyWallet/OneKeyWallet.entitlements;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				"CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer";
-				CODE_SIGN_STYLE = Manual;
+				CODE_SIGN_STYLE = Automatic;
 				CURRENT_PROJECT_VERSION = 1;
-				DEVELOPMENT_TEAM = "";
+				DEVELOPMENT_TEAM = BVJ3FU5H2K;
 				"DEVELOPMENT_TEAM[sdk=iphoneos*]" = BVJ3FU5H2K;
 				ENABLE_BITCODE = NO;
 				"EXCLUDED_ARCHS[sdk=iphonesimulator*]" = x86_64;
@@ -650,7 +666,7 @@
 				PRODUCT_BUNDLE_IDENTIFIER = so.onekey.wallet;
 				PRODUCT_NAME = OneKeyWallet;
 				PROVISIONING_PROFILE_SPECIFIER = "";
-				"PROVISIONING_PROFILE_SPECIFIER[sdk=iphoneos*]" = "OneKeyWalletX Profile Development-25/7/14";
+				"PROVISIONING_PROFILE_SPECIFIER[sdk=iphoneos*]" = "OneKeyWalletX Profile Development-25/01/05";
 				SWIFT_OBJC_BRIDGING_HEADER = "OneKeyWallet/OneKeyWallet-Bridging-Header.h";
 				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
 				SWIFT_VERSION = 5.0;
@@ -687,6 +703,7 @@
 				OTHER_SWIFT_FLAGS = "$(inherited) -D EXPO_CONFIGURATION_RELEASE";
 				PRODUCT_BUNDLE_IDENTIFIER = so.onekey.wallet;
 				PRODUCT_NAME = OneKeyWallet;
+				PROVISIONING_PROFILE_SPECIFIER = "";
 				SWIFT_OBJC_BRIDGING_HEADER = "OneKeyWallet/OneKeyWallet-Bridging-Header.h";
 				SWIFT_VERSION = 5.0;
 				TARGETED_DEVICE_FAMILY = "1,2";
@@ -867,10 +884,10 @@
 				CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				"CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "iPhone Developer";
-				CODE_SIGN_STYLE = Manual;
+				CODE_SIGN_STYLE = Automatic;
 				CURRENT_PROJECT_VERSION = 1;
 				DEBUG_INFORMATION_FORMAT = dwarf;
-				DEVELOPMENT_TEAM = "";
+				DEVELOPMENT_TEAM = BVJ3FU5H2K;
 				"DEVELOPMENT_TEAM[sdk=iphoneos*]" = BVJ3FU5H2K;
 				GCC_C_LANGUAGE_STANDARD = gnu11;
 				GCC_PREPROCESSOR_DEFINITIONS = (
@@ -894,7 +911,7 @@
 				PRODUCT_BUNDLE_IDENTIFIER = so.onekey.wallet.ServiceExtension;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
-				"PROVISIONING_PROFILE_SPECIFIER[sdk=iphoneos*]" = "OneKeyWallet ServiceExtension development-25/7/14";
+				"PROVISIONING_PROFILE_SPECIFIER[sdk=iphoneos*]" = "OneKeyWallet ServiceExtension development-25/01/05";
 				SKIP_INSTALL = YES;
 				SWIFT_EMIT_LOC_STRINGS = YES;
 				TARGETED_DEVICE_FAMILY = "1,2";
@@ -933,6 +950,7 @@
 				OTHER_SWIFT_FLAGS = "$(inherited) -D EXPO_CONFIGURATION_RELEASE";
 				PRODUCT_BUNDLE_IDENTIFIER = so.onekey.wallet.ServiceExtension;
 				PRODUCT_NAME = "$(TARGET_NAME)";
+				PROVISIONING_PROFILE_SPECIFIER = "";
 				SKIP_INSTALL = YES;
 				SWIFT_EMIT_LOC_STRINGS = YES;
 				TARGETED_DEVICE_FAMILY = "1,2";
diff --git a/apps/mobile/ios/OneKeyWallet/Info.plist b/apps/mobile/ios/OneKeyWallet/Info.plist
index 5851e789d28c..e592264b6d05 100644
--- a/apps/mobile/ios/OneKeyWallet/Info.plist
+++ b/apps/mobile/ios/OneKeyWallet/Info.plist
@@ -33,6 +33,14 @@
 				<string>ethereum</string>
 			</array>
 		</dict>
+		<dict>
+			<key>CFBundleTypeRole</key>
+			<string>Editor</string>
+			<key>CFBundleURLSchemes</key>
+			<array>
+				<string>com.googleusercontent.apps.244450898872-5uo9r8ekdc82huckjcr4br67edvf3vlg</string>
+			</array>
+		</dict>
 	</array>
 	<key>CFBundleVersion</key>
 	<string>1</string>
diff --git a/apps/mobile/ios/OneKeyWallet/OneKeyWallet.entitlements b/apps/mobile/ios/OneKeyWallet/OneKeyWallet.entitlements
index 18f7a066dac1..3c34e71a932b 100644
--- a/apps/mobile/ios/OneKeyWallet/OneKeyWallet.entitlements
+++ b/apps/mobile/ios/OneKeyWallet/OneKeyWallet.entitlements
@@ -4,32 +4,34 @@
 <dict>
 	<key>aps-environment</key>
 	<string>development</string>
+	<key>com.apple.developer.applesignin</key>
+	<array>
+		<string>Default</string>
+	</array>
 	<key>com.apple.developer.associated-domains</key>
 	<array>
 		<string>applinks:app.onekey.so</string>
 	</array>
-	<key>com.apple.developer.nfc.readersession.formats</key>
+	<key>com.apple.developer.icloud-container-environment</key>
+	<string>Production</string>
+	<key>com.apple.developer.icloud-container-identifiers</key>
 	<array>
-		<string>TAG</string>
+		<string>iCloud.so.onekey.wallet</string>
 	</array>
-
 	<key>com.apple.developer.icloud-services</key>
 	<array>
 		<string>CloudKit</string>
 		<string>CloudDocuments</string>
 	</array>
-	<key>com.apple.developer.icloud-container-environment</key>
-    <string>Production</string>
-	<key>com.apple.developer.ubiquity-kvstore-identifier</key>
-    <string>BVJ3FU5H2K.so.onekey.wallet</string>
-	<key>com.apple.developer.icloud-container-identifiers</key>
+	<key>com.apple.developer.nfc.readersession.formats</key>
 	<array>
-		<string>iCloud.so.onekey.wallet</string>
+		<string>TAG</string>
 	</array>
 	<key>com.apple.developer.ubiquity-container-identifiers</key>
 	<array>
 		<string>iCloud.so.onekey.wallet</string>
 	</array>
-
+	<key>com.apple.developer.ubiquity-kvstore-identifier</key>
+	<string>BVJ3FU5H2K.so.onekey.wallet</string>
 </dict>
 </plist>
diff --git a/apps/mobile/ios/Podfile b/apps/mobile/ios/Podfile
index 5e0b00d3961b..d8381d36e9f3 100644
--- a/apps/mobile/ios/Podfile
+++ b/apps/mobile/ios/Podfile
@@ -192,6 +192,9 @@ target 'OneKeyWallet' do
   # Enable modular headers for EMASCurl to fix SniConnect dependency
   pod 'EMASCurl', :modular_headers => true
 
+  # Manually add RNGoogleSignin pod (expo-module.config.json only includes the Expo adapter, not the TurboModule)
+  # pod 'RNGoogleSignin', :path => '../../../node_modules/@react-native-google-signin/google-signin'
+
   post_install do |installer|
     react_native_post_install(
       installer,
@@ -211,14 +214,22 @@ target 'OneKeyWallet' do
     end
     installer.pods_project.targets.each do |target|
       # https://github.com/mockingbot/react-native-zip-archive/issues/307
-      # error: /node_modules/react-native-zip-archive/ios/RNZipArchive.m unsupported option '-G' for target 'arm64-apple-ios14.0-simulator' 
+      # error: /node_modules/react-native-zip-archive/ios/RNZipArchive.m unsupported option '-G' for target 'arm64-apple-ios14.0-simulator'
       if target.name == 'RNZipArchive'
         target.source_build_phase.files.each do |file|
           if file.settings && file.settings['COMPILER_FLAGS']
-              file.settings['COMPILER_FLAGS'] = ''
+            file.settings['COMPILER_FLAGS'] = ''
           end
         end
       end
+
+      # Fix JuiceboxSdkFfi module not found error for RNJuiceboxSdk
+      if target.name == 'RNJuiceboxSdk'
+        target.build_configurations.each do |config|
+          juicebox_ffi_path = '${PODS_ROOT}/JuiceboxSdk/swift/Sources/JuiceboxSdkFfi'
+          config.build_settings['SWIFT_INCLUDE_PATHS'] = "$(inherited) #{juicebox_ffi_path}"
+        end
+      end
     end
 
     # bitcode_strip_path = `xcrun --find bitcode_strip`.chop!
@@ -243,5 +254,30 @@ target 'OneKeyWallet' do
     rescue => e
       Pod::UI.warn e
     end
+
+    # Fix JuiceboxSdkFfi linking - directly modify xcconfig files after integration
+    pods_dir = File.join(__dir__, 'Pods')
+    ['debug', 'release'].each do |config|
+      xcconfig_path = File.join(pods_dir, 'Target Support Files', 'Pods-OneKeyWallet', "Pods-OneKeyWallet.#{config}.xcconfig")
+      if File.exist?(xcconfig_path)
+        content = File.read(xcconfig_path)
+
+        # Add CARGO_BUILD_TARGET if not present
+        unless content.include?('CARGO_BUILD_TARGET')
+          content += "\nCARGO_BUILD_TARGET[sdk=iphoneos*] = aarch64-apple-ios"
+          content += "\nCARGO_BUILD_TARGET[sdk=iphonesimulator*][arch=*] = x86_64-apple-ios"
+          content += "\nCARGO_BUILD_TARGET[sdk=iphonesimulator*][arch=arm64] = aarch64-apple-ios-sim"
+        end
+
+        # Add FFI library to OTHER_LDFLAGS if not present
+        juicebox_ffi_lib = '${PODS_ROOT}/JuiceboxSdk/artifacts/ffi/$(CARGO_BUILD_TARGET)/libjuicebox_sdk_ffi.a'
+        unless content.include?('libjuicebox_sdk_ffi.a')
+          content = content.gsub(/^(OTHER_LDFLAGS = .*)$/, "\\1 #{juicebox_ffi_lib}")
+        end
+
+        File.write(xcconfig_path, content)
+        puts "Modified #{xcconfig_path} for JuiceboxSdkFfi"
+      end
+    end
   end
 end
diff --git a/apps/mobile/ios/Podfile.lock b/apps/mobile/ios/Podfile.lock
index 0ff9a226ff80..fc9bda9e86ec 100644
--- a/apps/mobile/ios/Podfile.lock
+++ b/apps/mobile/ios/Podfile.lock
@@ -1,4 +1,14 @@
 PODS:
+  - AppAuth (2.0.0):
+    - AppAuth/Core (= 2.0.0)
+    - AppAuth/ExternalUserAgent (= 2.0.0)
+  - AppAuth/Core (2.0.0)
+  - AppAuth/ExternalUserAgent (2.0.0):
+    - AppAuth/Core
+  - AppCheckCore (11.2.0):
+    - GoogleUtilities/Environment (~> 8.0)
+    - GoogleUtilities/UserDefaults (~> 8.0)
+    - PromisesObjC (~> 2.4)
   - BackgroundThread (1.1.14):
     - boost
     - DoubleConversion
@@ -136,6 +146,10 @@ PODS:
     - ReactCommon/turbomodule/core
     - SocketRocket
     - Yoga
+  - ExpoAdapterGoogleSignIn (16.1.0):
+    - ExpoModulesCore
+    - GoogleSignIn (~> 9.0)
+    - React-Core
   - ExpoAppleAuthentication (7.2.4):
     - ExpoModulesCore
   - ExpoAsset (12.0.10):
@@ -251,6 +265,24 @@ PODS:
   - FBLazyVector (0.81.5)
   - fmt (11.0.2)
   - glog (0.3.5)
+  - GoogleSignIn (9.0.0):
+    - AppAuth (~> 2.0)
+    - AppCheckCore (~> 11.0)
+    - GTMAppAuth (~> 5.0)
+    - GTMSessionFetcher/Core (~> 3.3)
+  - GoogleUtilities/Environment (8.1.0):
+    - GoogleUtilities/Privacy
+  - GoogleUtilities/Logger (8.1.0):
+    - GoogleUtilities/Environment
+    - GoogleUtilities/Privacy
+  - GoogleUtilities/Privacy (8.1.0)
+  - GoogleUtilities/UserDefaults (8.1.0):
+    - GoogleUtilities/Logger
+    - GoogleUtilities/Privacy
+  - GTMAppAuth (5.0.0):
+    - AppAuth/Core (~> 2.0)
+    - GTMSessionFetcher/Core (< 4.0, >= 3.3)
+  - GTMSessionFetcher/Core (3.5.0)
   - hermes-engine (0.81.5):
     - hermes-engine/Pre-built (= 0.81.5)
   - hermes-engine/Pre-built (0.81.5)
@@ -260,6 +292,7 @@ PODS:
     - React
   - JPushRN (3.2.1):
     - React
+  - JuiceboxSdk (0.3.2)
   - KeychainModule (1.1.14):
     - boost
     - DoubleConversion
@@ -394,6 +427,7 @@ PODS:
     - ReactCommon/turbomodule/core
     - SocketRocket
     - Yoga
+  - PromisesObjC (2.4.0)
   - PurchasesHybridCommon (14.2.0):
     - RevenueCat (= 5.32.0)
   - RCT-Folly (2024.11.18.00):
@@ -3439,6 +3473,35 @@ PODS:
     - ReactCommon/turbomodule/core
     - SocketRocket
     - Yoga
+  - RNGoogleSignin (16.1.0):
+    - boost
+    - DoubleConversion
+    - fast_float
+    - fmt
+    - glog
+    - GoogleSignIn (~> 9.0)
+    - hermes-engine
+    - RCT-Folly
+    - RCT-Folly/Fabric
+    - RCTRequired
+    - RCTTypeSafety
+    - React-Core
+    - React-debug
+    - React-Fabric
+    - React-featureflags
+    - React-graphics
+    - React-ImageManager
+    - React-jsi
+    - React-NativeModulesApple
+    - React-RCTFabric
+    - React-renderercss
+    - React-rendererdebug
+    - React-utils
+    - ReactCodegen
+    - ReactCommon/turbomodule/bridging
+    - ReactCommon/turbomodule/core
+    - SocketRocket
+    - Yoga
   - RNImageCropPicker (0.50.0):
     - boost
     - DoubleConversion
@@ -3500,6 +3563,35 @@ PODS:
     - SocketRocket
     - TOCropViewController (~> 2.7.4)
     - Yoga
+  - RNJuiceboxSdk (0.3.17):
+    - boost
+    - DoubleConversion
+    - fast_float
+    - fmt
+    - glog
+    - hermes-engine
+    - JuiceboxSdk (= 0.3.2)
+    - RCT-Folly
+    - RCT-Folly/Fabric
+    - RCTRequired
+    - RCTTypeSafety
+    - React-Core
+    - React-debug
+    - React-Fabric
+    - React-featureflags
+    - React-graphics
+    - React-ImageManager
+    - React-jsi
+    - React-NativeModulesApple
+    - React-RCTFabric
+    - React-renderercss
+    - React-rendererdebug
+    - React-utils
+    - ReactCodegen
+    - ReactCommon/turbomodule/bridging
+    - ReactCommon/turbomodule/core
+    - SocketRocket
+    - Yoga
   - RNNotifee (9.1.8):
     - React-Core
     - RNNotifee/NotifeeCore (= 9.1.8)
@@ -3965,6 +4057,7 @@ DEPENDENCIES:
   - EXImageLoader (from `../../../node_modules/expo-image-loader/ios`)
   - EXNotifications (from `../../../node_modules/expo-notifications/ios`)
   - Expo (from `../../../node_modules/expo`)
+  - "ExpoAdapterGoogleSignIn (from `../../../node_modules/@react-native-google-signin/google-signin/expo/ios`)"
   - ExpoAppleAuthentication (from `../../../node_modules/expo-apple-authentication/ios`)
   - ExpoAsset (from `../../../node_modules/expo-asset/ios`)
   - ExpoBlur (from `../../../node_modules/expo-blur/ios`)
@@ -4098,7 +4191,9 @@ DEPENDENCIES:
   - RNDnsLookup (from `../../../node_modules/react-native-dns-lookup`)
   - RNFileLogger (from `../../../node_modules/react-native-file-logger`)
   - RNGestureHandler (from `../../../node_modules/react-native-gesture-handler`)
+  - "RNGoogleSignin (from `../../../node_modules/@react-native-google-signin/google-signin`)"
   - RNImageCropPicker (from `../../../node_modules/react-native-image-crop-picker`)
+  - "RNJuiceboxSdk (from `../../../node_modules/@phantom/react-native-juicebox-sdk`)"
   - "RNNotifee (from `../../../node_modules/@notifee/react-native`)"
   - RNPermissions (from `../../../node_modules/react-native-permissions`)
   - RNPurchases (from `../../../node_modules/react-native-purchases`)
@@ -4117,12 +4212,20 @@ SPEC REPOS:
   https://github.com/aliyun/aliyun-specs.git:
     - EMASCurl
   https://github.com/CocoaPods/Specs.git:
+    - AppAuth
+    - AppCheckCore
     - CocoaAsyncSocket
     - CocoaLumberjack
+    - GoogleSignIn
+    - GoogleUtilities
+    - GTMAppAuth
+    - GTMSessionFetcher
+    - JuiceboxSdk
     - libwebp
     - lottie-ios
     - MMKVCore
     - MultiplatformBleAdapter
+    - PromisesObjC
     - PurchasesHybridCommon
     - React-Codegen
     - RevenueCat
@@ -4160,6 +4263,8 @@ EXTERNAL SOURCES:
     :path: "../../../node_modules/expo-notifications/ios"
   Expo:
     :path: "../../../node_modules/expo"
+  ExpoAdapterGoogleSignIn:
+    :path: "../../../node_modules/@react-native-google-signin/google-signin/expo/ios"
   ExpoAppleAuthentication:
     :path: "../../../node_modules/expo-apple-authentication/ios"
   ExpoAsset:
@@ -4425,8 +4530,12 @@ EXTERNAL SOURCES:
     :path: "../../../node_modules/react-native-file-logger"
   RNGestureHandler:
     :path: "../../../node_modules/react-native-gesture-handler"
+  RNGoogleSignin:
+    :path: "../../../node_modules/@react-native-google-signin/google-signin"
   RNImageCropPicker:
     :path: "../../../node_modules/react-native-image-crop-picker"
+  RNJuiceboxSdk:
+    :path: "../../../node_modules/@phantom/react-native-juicebox-sdk"
   RNNotifee:
     :path: "../../../node_modules/@notifee/react-native"
   RNPermissions:
@@ -4453,6 +4562,8 @@ EXTERNAL SOURCES:
     :path: "../../../node_modules/react-native/ReactCommon/yoga"
 
 SPEC CHECKSUMS:
+  AppAuth: 1c1a8afa7e12f2ec3a294d9882dfa5ab7d3cb063
+  AppCheckCore: cc8fd0a3a230ddd401f326489c99990b013f0c4f
   BackgroundThread: 2f51ad2b9ac5c8dc8b873295cb4fa0b77371df55
   BleUtils: 0fd18e5fd2732c89771dc79941c7320ac9c42015
   boost: 7e761d76ca2ce687f7cc98e698152abd03a18f90
@@ -4467,6 +4578,7 @@ SPEC CHECKSUMS:
   EXImageLoader: 4d3d3284141f1a45006cc4d0844061c182daf7ee
   EXNotifications: 1afe5275cf399920480fc5a9008676749a767d19
   Expo: 22c06b7185706d92688f6e943576198540836bc1
+  ExpoAdapterGoogleSignIn: d37ffdf6129a723126c1ead19f8ba52a9ab49dc6
   ExpoAppleAuthentication: 4d2e0c88a4463229760f1fbb9a937a810efb6863
   ExpoAsset: d839c8eae8124470332408427327e8f88beb2dfd
   ExpoBlur: 2dd8f64aa31f5d405652c21d3deb2d2588b1852f
@@ -4496,10 +4608,15 @@ SPEC CHECKSUMS:
   FBLazyVector: 5beb8028d5a2e75dd9634917f23e23d3a061d2aa
   fmt: a40bb5bd0294ea969aaaba240a927bd33d878cdd
   glog: 5683914934d5b6e4240e497e0f4a3b42d1854183
+  GoogleSignIn: c7f09cfbc85a1abf69187be091997c317cc33b77
+  GoogleUtilities: 00c88b9a86066ef77f0da2fab05f65d7768ed8e1
+  GTMAppAuth: 217a876b249c3c585a54fd6f73e6b58c4f5c4238
+  GTMSessionFetcher: 5aea5ba6bd522a239e236100971f10cb71b96ab6
   hermes-engine: 9f4dfe93326146a1c99eb535b1cb0b857a3cd172
   ImageColors: 51cd79f7a9d2524b7a681c660b0a50574085563b
   JCoreRN: d985de509185b381c177fde4bb6bfc686089fdbd
   JPushRN: 807bc962b2f25860e5c0caa5fcb7b4910572b890
+  JuiceboxSdk: b2222491ce92b263694c217ea202a54b66c5ec5f
   KeychainModule: b3a302819c0c8503a8a2b7062da406d67738974a
   libwebp: 02b23773aedb6ff1fd38cec7a77b81414c6842a8
   lottie-ios: a881093fab623c467d3bce374367755c272bdd59
@@ -4508,6 +4625,7 @@ SPEC CHECKSUMS:
   MultiplatformBleAdapter: b1fddd0d499b96b607e00f0faa8e60648343dc1d
   NitroMmkv: ce1df9b9f0e06dfbde2455d863047e0411fceb6e
   NitroModules: 5bc319d441f4983894ea66b1d392c519536e6d23
+  PromisesObjC: f5707f49cb48b9636751c5b2e7d227e43fba9f47
   PurchasesHybridCommon: f1650b33e9a1dd04d5e8a40dfe757f39e63f935c
   RCT-Folly: 846fda9475e61ec7bcbf8a3fe81edfcaeb090669
   RCTDeprecation: 5eb1d2eeff5fb91151e8a8eef45b6c7658b6c897
@@ -4606,7 +4724,9 @@ SPEC CHECKSUMS:
   RNDnsLookup: db4a89381b80ec1a5153088518d2c4f8e51f2521
   RNFileLogger: 5f13e0115cf71f27c032195a55567f5b473db4e7
   RNGestureHandler: 29bbca60c881e5243e219e3fe0016060002ed389
+  RNGoogleSignin: 628d629e8dca39fc4ab70e30cf55bb3fc284f518
   RNImageCropPicker: 882ced4c8ec0ce16b59456d935af91d9126cfd49
+  RNJuiceboxSdk: a2e85ef9d73eac5547cc89d0a4b7b0f6e798d253
   RNNotifee: 5e3b271e8ea7456a36eec994085543c9adca9168
   RNPermissions: 808e11d2ffe4d8ddea33d8304310a28f281b6a0a
   RNPurchases: 4c820359d90fab9c83ffd3ef5471d59db72e2ed1
@@ -4630,6 +4750,6 @@ SPEC CHECKSUMS:
   Yoga: 728df40394d49f3f471688747cf558158b3a3bd1
   ZXingObjC: 8898711ab495761b2dbbdec76d90164a6d7e14c5
 
-PODFILE CHECKSUM: ea18296bb911f4fe6f7cbbe3550d227a64e69397
+PODFILE CHECKSUM: f7b815894a74357a751287eb41cbf629f4744106
 
 COCOAPODS: 1.16.2
diff --git a/apps/mobile/ios/PrivacyInfo.xcprivacy b/apps/mobile/ios/PrivacyInfo.xcprivacy
index 2e0cd4040da4..4edd0b44dc45 100644
--- a/apps/mobile/ios/PrivacyInfo.xcprivacy
+++ b/apps/mobile/ios/PrivacyInfo.xcprivacy
@@ -29,6 +29,7 @@
 			<key>NSPrivacyAccessedAPITypeReasons</key>
 			<array>
 				<string>CA92.1</string>
+				<string>C56D.1</string>
 			</array>
 		</dict>
 		<dict>
diff --git a/apps/mobile/package.json b/apps/mobile/package.json
index 3a264a1375b0..ff3280a667d0 100644
--- a/apps/mobile/package.json
+++ b/apps/mobile/package.json
@@ -19,6 +19,7 @@
     "clean:build": "rimraf ./dist && rimraf ./expo && rimraf .tamagui && rimraf ./node_modules/.cache && yarn android:clean",
     "android:clean": "./android/gradlew clean -p ./android",
     "android:dependencies": "./android/gradlew dependencies -p ./android",
+    "eas-build-pre-install": "git config --global url.\"https://github.com/juicebox-systems/\".insteadOf \"git@github.com:juicebox-systems/\"",
     "eas-build-post-install": "echo $KEY_SECRET | base64 -d > ../../node_modules/@onekeyfe/react-native-lite-card/keys/keys.secret",
     "_folderslint": "yarn folderslint"
   },
@@ -54,10 +55,12 @@
     "@onekeyhq/components": "*",
     "@onekeyhq/kit": "*",
     "@onekeyhq/shared": "*",
+    "@phantom/react-native-juicebox-sdk": "0.3.17",
     "@react-native-async-storage/async-storage": "2.2.0",
     "@react-native-community/netinfo": "11.4.1",
     "@react-native-community/slider": "5.0.1",
-    "@react-native-google-signin/google-signin": "^9.1.0",
+    "@react-native-google-signin/google-signin": "16.1.0",
+    "@reown/appkit-ethers5-react-native": "1.3.1",
     "@sentry/react-native": "6.22.0",
     "@shopify/flash-list": "2.2.0",
     "@types/react-native-canvas": "^0.1.13",
@@ -160,9 +163,7 @@
         "exclude": []
       },
       "ios": {
-        "exclude": [
-          "@react-native-google-signin/google-signin"
-        ]
+        "exclude": []
       }
     }
   }
diff --git a/apps/mobile/react-native.config.js b/apps/mobile/react-native.config.js
index d596f1c3aedd..060a4faf0a47 100644
--- a/apps/mobile/react-native.config.js
+++ b/apps/mobile/react-native.config.js
@@ -3,7 +3,7 @@ module.exports = {
   dependencies: {
     '@react-native-google-signin/google-signin': {
       platforms: {
-        ios: null,
+        // ios: null,
       },
     },
     'react-native-check-biometric-auth-changed': {
diff --git a/development/spellCheckerSkipWords.js b/development/spellCheckerSkipWords.js
index e822350913db..c0f1e05b9434 100644
--- a/development/spellCheckerSkipWords.js
+++ b/development/spellCheckerSkipWords.js
@@ -16,6 +16,7 @@ module.exports = [
   'reown',
   'cloudfs',
   'getters',
+  'Autopurge',
   'keyless',
   'shamir',
   '0xxxxxxx',
@@ -29,6 +30,7 @@ module.exports = [
   'cloudkit',
   'nktkas',
   'bbo',
+  'juicebox',
   '100vw',
   '10xxxxxx',
   'hardcode',
diff --git a/package.json b/package.json
index c446bf23689d..12c5e85c6414 100644
--- a/package.json
+++ b/package.json
@@ -122,6 +122,7 @@
     "isomorphic-ws": "^4.0.1",
     "jotai": "^2.5.0",
     "js-md5": "^0.8.3",
+    "juicebox-sdk": "^0.3.4",
     "lightweight-charts": "^3.8.0",
     "long": "^5.2.1",
     "lru-cache": "^10.2.0",
diff --git a/packages/components/src/content/Keyboard/index.tsx b/packages/components/src/content/Keyboard/index.tsx
index acd307cd2806..6527f9959aa9 100644
--- a/packages/components/src/content/Keyboard/index.tsx
+++ b/packages/components/src/content/Keyboard/index.tsx
@@ -3,7 +3,7 @@ import {
   dismissKeyboardWithDelay,
 } from '@onekeyhq/shared/src/keyboard';
 
-const PassThrough = (children: React.ReactNode) => children;
+const PassThrough = ({ children }: { children?: React.ReactNode }) => children;
 
 export const Keyboard = {
   AvoidingView: PassThrough,
diff --git a/packages/components/src/primitives/Button/index.tsx b/packages/components/src/primitives/Button/index.tsx
index 9c0531b090fa..a0175a51f7d4 100644
--- a/packages/components/src/primitives/Button/index.tsx
+++ b/packages/components/src/primitives/Button/index.tsx
@@ -129,7 +129,7 @@ export const getSharedButtonStyles = ({
           },
         }
       : {
-          opacity: 0.5,
+          opacity: 0.4,
         }),
   };
 
diff --git a/packages/components/src/primitives/Skeleton/BaseSkeleton.native.tsx b/packages/components/src/primitives/Skeleton/BaseSkeleton.native.tsx
index f5d683864131..4f85cbb06e90 100644
--- a/packages/components/src/primitives/Skeleton/BaseSkeleton.native.tsx
+++ b/packages/components/src/primitives/Skeleton/BaseSkeleton.native.tsx
@@ -1,4 +1,5 @@
 import { useMemo } from 'react';
+import type { ComponentRef, ForwardedRef } from 'react';
 
 import { SkeletonView } from '@onekeyfe/react-native-skeleton';
 
@@ -18,11 +19,10 @@ const baseColors = {
   dark: ['#111111', '#333333'],
   light: ['#fafafa', '#cdcdcd'],
 };
-export function BaseSkeleton({
-  colorMode,
-  children,
-  ...props
-}: ISkeletonProps) {
+export function BaseSkeleton(
+  { colorMode, children, ...props }: ISkeletonProps,
+  ref: ForwardedRef<ComponentRef<typeof Stack>>,
+) {
   const [restProps, style] = usePropsAndStyle(props, {
     resolveValues: 'auto',
   });
@@ -43,6 +43,7 @@ export function BaseSkeleton({
   const isGroupLoading = useIsGroupLoading();
   return isGroupLoading === undefined || isGroupLoading ? (
     <Stack
+      ref={ref}
       bg="$bg"
       style={style as any}
       height={(style.height as number) || DEFAULT_SKELETON_SIZE}
diff --git a/packages/components/src/primitives/Skeleton/BaseSkeleton.tsx b/packages/components/src/primitives/Skeleton/BaseSkeleton.tsx
index 56d12760d379..d7e00f8037a0 100644
--- a/packages/components/src/primitives/Skeleton/BaseSkeleton.tsx
+++ b/packages/components/src/primitives/Skeleton/BaseSkeleton.tsx
@@ -1,4 +1,5 @@
-import { useMemo } from 'react';
+import { forwardRef, useMemo } from 'react';
+import type { ComponentRef } from 'react';
 
 import type { StackStyle } from '@onekeyhq/components/src/shared/tamagui';
 import {
@@ -13,12 +14,10 @@ import { useIsGroupLoading } from './context';
 
 import type { ISkeletonProps } from './type';
 
-export function BaseSkeleton({
-  colorMode,
-  children,
-  show,
-  ...props
-}: ISkeletonProps) {
+export const BaseSkeleton = forwardRef<
+  ComponentRef<typeof Stack>,
+  ISkeletonProps
+>(({ colorMode, children, show, ...props }: ISkeletonProps, ref) => {
   const [{ className: classNameProp, ...restProps }, style] = usePropsAndStyle(
     props,
     {
@@ -53,6 +52,7 @@ export function BaseSkeleton({
   }, [show, isGroupLoading]);
   return showSkeleton ? (
     <Stack
+      ref={ref}
       bg="$bg"
       style={style as any}
       height={style.height || DEFAULT_SKELETON_SIZE}
@@ -65,4 +65,6 @@ export function BaseSkeleton({
   ) : (
     children || null
   );
-}
+});
+
+BaseSkeleton.displayName = 'BaseSkeleton';
diff --git a/packages/components/src/primitives/Skeleton/index.tsx b/packages/components/src/primitives/Skeleton/index.tsx
index ad3cb2b8b53b..063952d1c343 100644
--- a/packages/components/src/primitives/Skeleton/index.tsx
+++ b/packages/components/src/primitives/Skeleton/index.tsx
@@ -1,4 +1,4 @@
-import { forwardRef, useMemo } from 'react';
+import { useMemo } from 'react';
 
 import {
   styled,
@@ -124,7 +124,7 @@ function SkeletonGroup({
 }
 
 export const Skeleton = withStaticProperties(
-  styled(forwardRef(BaseSkeleton), {
+  styled(BaseSkeleton, {
     name: 'Skeleton',
   } as const),
   {
diff --git a/packages/kit-bg/src/dbs/local/LocalDbBase.ts b/packages/kit-bg/src/dbs/local/LocalDbBase.ts
index e7c2a91a329d..5da4d2983703 100644
--- a/packages/kit-bg/src/dbs/local/LocalDbBase.ts
+++ b/packages/kit-bg/src/dbs/local/LocalDbBase.ts
@@ -142,6 +142,7 @@ import type {
   IDBWalletNextIdKeys,
   IDBWalletNextIds,
   IDBWalletType,
+  IKeylessWalletDetailsInfo,
   ILocalDBRecordUpdater,
   ILocalDBTransaction,
   ILocalDBTxGetRecordByIdResult,
@@ -877,10 +878,7 @@ export abstract class LocalDbBase extends LocalDbBaseContainer {
       // TODO performance
       const { wallets } = await this.getWallets();
       const walletsByXfp = wallets.filter((w) => {
-        const isKeylessWallet = accountUtils.isKeylessWallet({
-          walletId: w.id,
-        });
-        if (isKeylessWallet) {
+        if (w.isKeyless) {
           return false;
         }
         return w.xfp === xfp;
@@ -910,10 +908,7 @@ export abstract class LocalDbBase extends LocalDbBaseContainer {
       const { wallets } = await this.getWallets();
       if (walletType === WALLET_TYPE_HD) {
         const wallet = wallets.find((w) => {
-          const isKeylessWallet = accountUtils.isKeylessWallet({
-            walletId: w.id,
-          });
-          if (isKeylessWallet) {
+          if (w.isKeyless) {
             return false;
           }
           const r = w.type === walletType && w.hash === walletHash;
@@ -1025,6 +1020,25 @@ export abstract class LocalDbBase extends LocalDbBaseContainer {
     }
 
     wallet.avatarInfo = avatarInfo;
+
+    let keylessDetailsInfo: IKeylessWalletDetailsInfo | undefined;
+    if (wallet.keylessDetails) {
+      try {
+        const parsedKeylessDetails = JSON.parse(
+          wallet.keylessDetails || '{}',
+        ) as IKeylessWalletDetailsInfo;
+        if (
+          parsedKeylessDetails?.keylessOwnerId &&
+          parsedKeylessDetails?.keylessProvider
+        ) {
+          keylessDetailsInfo = parsedKeylessDetails;
+        }
+      } catch (error) {
+        console.error('refillWalletInfo keylessDetails', error);
+      }
+    }
+
+    wallet.keylessDetailsInfo = keylessDetailsInfo;
     wallet.walletOrder = wallet.walletOrderSaved ?? wallet.walletNo;
     if (accountUtils.isHwHiddenWallet({ wallet })) {
       const parentWallet = await this.getParentWalletOfHiddenWallet({
@@ -1990,6 +2004,8 @@ export abstract class LocalDbBase extends LocalDbBaseContainer {
       rs,
       walletHash,
       walletXfp,
+      isKeylessWallet,
+      keylessDetailsInfo,
     } = params;
     const context = await this.getContext({ verifyPassword: password });
     const walletId = accountUtils.buildHdWalletId({
@@ -2022,6 +2038,10 @@ export abstract class LocalDbBase extends LocalDbBaseContainer {
         accounts: [],
         walletNo: context.nextWalletNo,
         deprecated: false,
+        isKeyless: !!isKeylessWallet,
+        keylessDetails: keylessDetailsInfo
+          ? JSON.stringify(keylessDetailsInfo)
+          : undefined,
       };
       currentWalletToCreate = _walletToCreate;
       currentAvatarInfo = options.avatar;
@@ -3303,7 +3323,13 @@ export abstract class LocalDbBase extends LocalDbBaseContainer {
     const wallet = await this.getWallet({
       walletId,
     });
-    const isKeylessWallet = accountUtils.isKeylessWallet({ walletId });
+    const isHardware =
+      accountUtils.isHwWallet({
+        walletId,
+      }) || accountUtils.isQrWallet({ walletId });
+    const isKeyless = wallet.isKeyless;
+    const isHdWallet = accountUtils.isHdWallet({ walletId });
+
     const walletsInSameDevice = await this.getNormalHwQrWalletInSameDevice({
       associatedDevice: wallet.associatedDevice,
     });
@@ -3314,7 +3340,7 @@ export abstract class LocalDbBase extends LocalDbBaseContainer {
     });
     // TODO buildSyncKeyAndPayloadSafe
     let syncKeyInfo: ICloudSyncKeyInfoWallet | undefined;
-    if (!isKeylessWallet) {
+    if (!isKeyless) {
       syncKeyInfo = await syncManagers.wallet.buildSyncKeyAndPayload({
         target,
       });
@@ -3326,10 +3352,6 @@ export abstract class LocalDbBase extends LocalDbBaseContainer {
       // remove wallet
       // remove address
 
-      const isHardware =
-        accountUtils.isHwWallet({
-          walletId,
-        }) || accountUtils.isQrWallet({ walletId });
       if (isHardware) {
         if (
           !isRemoveToMocked &&
@@ -3372,7 +3394,7 @@ export abstract class LocalDbBase extends LocalDbBaseContainer {
             });
           }
         }
-      } else if (!isKeylessWallet) {
+      } else if (isHdWallet) {
         await this.txRemoveRecords({
           tx,
           name: ELocalDBStoreNames.Credential,
diff --git a/packages/kit-bg/src/dbs/local/consts.ts b/packages/kit-bg/src/dbs/local/consts.ts
index fb93816f819c..4ab06c7986df 100644
--- a/packages/kit-bg/src/dbs/local/consts.ts
+++ b/packages/kit-bg/src/dbs/local/consts.ts
@@ -9,7 +9,7 @@ export const IS_DB_BUCKET_SUPPORT = Boolean(
 );
 
 const LOCAL_DB_NAME = 'OneKeyV5';
-const LOCAL_DB_VERSION = 14;
+const LOCAL_DB_VERSION = 15;
 
 // ----------------------------------------------
 
diff --git a/packages/kit-bg/src/dbs/local/realm/schemas/RealmSchemaWallet.ts b/packages/kit-bg/src/dbs/local/realm/schemas/RealmSchemaWallet.ts
index 53a5783531e4..e4d1525d798c 100644
--- a/packages/kit-bg/src/dbs/local/realm/schemas/RealmSchemaWallet.ts
+++ b/packages/kit-bg/src/dbs/local/realm/schemas/RealmSchemaWallet.ts
@@ -30,6 +30,8 @@ class RealmSchemaWallet extends RealmObjectBase<IDBWallet> {
 
   public isMocked?: boolean;
 
+  public isKeyless?: boolean;
+
   public passphraseState?: string;
 
   public firstEvmAddress?: string;
@@ -64,6 +66,7 @@ class RealmSchemaWallet extends RealmObjectBase<IDBWallet> {
       associatedDevice: 'string?',
       isTemp: { type: 'bool', default: false },
       isMocked: { type: 'bool', default: false },
+      isKeyless: { type: 'bool', default: false },
       passphraseState: 'string?',
       firstEvmAddress: 'string?',
       hash: 'string?',
@@ -90,6 +93,7 @@ class RealmSchemaWallet extends RealmObjectBase<IDBWallet> {
       associatedDevice: this.associatedDevice,
       isTemp: this.isTemp,
       isMocked: this.isMocked,
+      isKeyless: this.isKeyless,
       passphraseState: this.passphraseState,
       firstEvmAddress: this.firstEvmAddress,
       hash: this.hash,
diff --git a/packages/kit-bg/src/dbs/local/types.ts b/packages/kit-bg/src/dbs/local/types.ts
index efe4370c85cf..3cb22c15a888 100644
--- a/packages/kit-bg/src/dbs/local/types.ts
+++ b/packages/kit-bg/src/dbs/local/types.ts
@@ -2,6 +2,7 @@ import type {
   IBip39RevealableSeed,
   IBip39RevealableSeedEncryptHex,
 } from '@onekeyhq/core/src/secret';
+import type { EOAuthSocialLoginProvider } from '@onekeyhq/shared/src/consts/authConsts';
 import type {
   WALLET_TYPE_EXTERNAL,
   WALLET_TYPE_HD,
@@ -133,6 +134,10 @@ export type IDBWalletNextIdKeys =
   | 'accountGlobalNum'
   | 'hiddenWalletNum';
 export type IDBWalletNextIds = Partial<Record<IDBWalletNextIdKeys, number>>;
+export type IKeylessWalletDetailsInfo = {
+  keylessOwnerId: string;
+  keylessProvider: EOAuthSocialLoginProvider;
+};
 export type IDBWallet = IDBBaseObjectWithName & {
   type: IDBWalletType;
   backuped: boolean;
@@ -155,6 +160,9 @@ export type IDBWallet = IDBBaseObjectWithName & {
   dbIndexedAccounts?: IDBIndexedAccount[]; // readonly field
   isTemp?: boolean;
   isMocked?: boolean;
+  isKeyless?: boolean;
+  keylessDetails?: string; // JSON.stringify(keylessDetailsInfo)
+  keylessDetailsInfo?: IKeylessWalletDetailsInfo; // readonly field
   passphraseState?: string;
   walletNo: number;
   walletOrderSaved?: number; // db field
@@ -175,6 +183,8 @@ export type IDBCreateHDWalletParams = {
   walletHash: string;
   walletXfp: string;
   avatar?: IAvatarInfo;
+  isKeylessWallet?: boolean;
+  keylessDetailsInfo?: IKeylessWalletDetailsInfo;
 };
 export type IDBCreateKeylessWalletParams = {
   password: string;
diff --git a/packages/kit-bg/src/desktopApis/DesktopApiAppleAuth.ts b/packages/kit-bg/src/desktopApis/DesktopApiAppleAuth.ts
new file mode 100644
index 000000000000..107313ed32ad
--- /dev/null
+++ b/packages/kit-bg/src/desktopApis/DesktopApiAppleAuth.ts
@@ -0,0 +1,55 @@
+import {
+  isAppleAuthAvailable,
+  signInWithApple,
+} from '@onekeyhq/desktop/app/service/appleAuth/appleAuth';
+
+import type { IDesktopApi } from './instance/IDesktopApi';
+
+export interface IAppleSignInResult {
+  /** JWT identity token to send to Supabase signInWithIdToken */
+  identityToken: string;
+  /** Authorization code (for server-side validation) */
+  authorizationCode?: string;
+  /** Apple user identifier (stable across sign-ins) */
+  user: string;
+  /** User's email (only provided on first sign-in) */
+  email?: string;
+  /** User's full name (only provided on first sign-in) */
+  fullName?: string;
+  /** Raw nonce for Supabase validation */
+  rawNonce: string;
+}
+
+/**
+ * Desktop API for native Apple Sign-In (macOS only)
+ *
+ * Uses ASAuthorizationController from AuthenticationServices framework
+ * to perform native Apple Sign-In without opening a browser.
+ */
+class DesktopApiAppleAuth {
+  constructor({ desktopApi }: { desktopApi: IDesktopApi }) {
+    this.desktopApi = desktopApi;
+  }
+
+  desktopApi: IDesktopApi;
+
+  /**
+   * Check if native Apple Sign-In is available.
+   * Requires macOS 10.15+ and the native module to be built.
+   */
+  isAvailable(): boolean {
+    return isAppleAuthAvailable();
+  }
+
+  /**
+   * Perform native Apple Sign-In.
+   *
+   * @returns Promise with identity token and nonce for Supabase
+   * @throws Error if sign-in fails or user cancels
+   */
+  async signIn(): Promise<IAppleSignInResult> {
+    return signInWithApple();
+  }
+}
+
+export default DesktopApiAppleAuth;
diff --git a/packages/kit-bg/src/desktopApis/instance/IDesktopApi.ts b/packages/kit-bg/src/desktopApis/instance/IDesktopApi.ts
index 08342ebee447..5b90c1d5a6a3 100644
--- a/packages/kit-bg/src/desktopApis/instance/IDesktopApi.ts
+++ b/packages/kit-bg/src/desktopApis/instance/IDesktopApi.ts
@@ -1,3 +1,4 @@
+import type DesktopApiAppleAuth from '../DesktopApiAppleAuth';
 import type DesktopApiAppUpdate from '../DesktopApiAppUpdate';
 import type DesktopApiBluetooth from '../DesktopApiBluetooth';
 import type DesktopApiBundleUpdate from '../DesktopApiBundleUpdate';
@@ -28,4 +29,5 @@ export interface IDesktopApi {
   keychain: DesktopApiKeychain;
   sniRequest: DesktopApiSniRequest;
   oauthLocalServer: DesktopApiOAuthLocalServer;
+  appleAuth: DesktopApiAppleAuth;
 }
diff --git a/packages/kit-bg/src/desktopApis/instance/desktopApi.ts b/packages/kit-bg/src/desktopApis/instance/desktopApi.ts
index cd87f21c87b1..eada09d1b280 100644
--- a/packages/kit-bg/src/desktopApis/instance/desktopApi.ts
+++ b/packages/kit-bg/src/desktopApis/instance/desktopApi.ts
@@ -4,6 +4,7 @@ import { memoizee } from '@onekeyhq/shared/src/utils/cacheUtils';
 
 import { DESKTOP_API_MESSAGE_TYPE } from '../base/consts';
 import { JsBridgeDesktopApiOfMain } from '../base/JsBridgeDesktopApiOfMain';
+import DesktopApiAppleAuth from '../DesktopApiAppleAuth';
 import DesktopApiAppUpdate from '../DesktopApiAppUpdate';
 import DesktopApiBluetooth from '../DesktopApiBluetooth';
 import DesktopApiBundleUpdate from '../DesktopApiBundleUpdate';
@@ -83,6 +84,10 @@ class DesktopApi implements IDesktopApi {
       desktopApi: this,
     },
   );
+
+  appleAuth: DesktopApiAppleAuth = new DesktopApiAppleAuth({
+    desktopApi: this,
+  });
 }
 
 const desktopApi = new DesktopApi();
diff --git a/packages/kit-bg/src/desktopApis/instance/desktopApiProxy.ts b/packages/kit-bg/src/desktopApis/instance/desktopApiProxy.ts
index dbd5967b9e77..86cf98a6a830 100644
--- a/packages/kit-bg/src/desktopApis/instance/desktopApiProxy.ts
+++ b/packages/kit-bg/src/desktopApis/instance/desktopApiProxy.ts
@@ -10,6 +10,7 @@ import type {
   IDesktopApiKeys,
   IDesktopApiMessagePayload,
 } from '../base/types';
+import type DesktopApiAppleAuth from '../DesktopApiAppleAuth';
 import type DesktopApiAppUpdate from '../DesktopApiAppUpdate';
 import type DesktopApiBluetooth from '../DesktopApiBluetooth';
 import type DesktopApiBundleUpdate from '../DesktopApiBundleUpdate';
@@ -97,6 +98,9 @@ export class DesktopApiProxy extends RemoteApiProxyBase implements IDesktopApi {
 
   oauthLocalServer: DesktopApiOAuthLocalServer =
     this._createProxyModule<IDesktopApiKeys>('oauthLocalServer');
+
+  appleAuth: DesktopApiAppleAuth =
+    this._createProxyModule<IDesktopApiKeys>('appleAuth');
 }
 
 const desktopApiProxy = new DesktopApiProxy();
diff --git a/packages/kit-bg/src/services/ServiceAccount/ServiceAccount.ts b/packages/kit-bg/src/services/ServiceAccount/ServiceAccount.ts
index a25595839359..9a50135a45c9 100644
--- a/packages/kit-bg/src/services/ServiceAccount/ServiceAccount.ts
+++ b/packages/kit-bg/src/services/ServiceAccount/ServiceAccount.ts
@@ -267,37 +267,9 @@ class ServiceAccount extends ServiceBase {
     };
   }
 
-  private async shouldIncludeWalletButNotKeyless(
-    wallet: IDBWallet,
-  ): Promise<boolean> {
-    const isKeylessWallet = accountUtils.isKeylessWallet({
-      walletId: wallet.id,
-    });
-    if (!isKeylessWallet) {
-      return true;
-    }
-    let expectedId: string | undefined;
-    if (expectedId === undefined) {
-      const { keylessWalletId: packSetId } = await primePersistAtom.get();
-      expectedId = packSetId
-        ? accountUtils.buildKeylessWalletId({ sharePackSetId: packSetId })
-        : undefined;
-    }
-    if (!expectedId) {
-      return false;
-    }
-    return wallet.id === expectedId;
-  }
-
   @backgroundMethod()
   async getWallet({ walletId }: { walletId: string }): Promise<IDBWallet> {
     const wallet = await localDb.getWallet({ walletId });
-    const shouldInclude = await this.shouldIncludeWalletButNotKeyless(wallet);
-    if (!shouldInclude) {
-      throw new OneKeyError('KeylessWallet not found', {
-        code: EOneKeyErrorClassNames.OneKeyError,
-      });
-    }
     return wallet;
   }
 
@@ -336,10 +308,6 @@ class ServiceAccount extends ServiceBase {
     if (!wallet) {
       return undefined;
     }
-    const shouldInclude = await this.shouldIncludeWalletButNotKeyless(wallet);
-    if (!shouldInclude) {
-      return undefined;
-    }
     return wallet;
   }
 
@@ -379,6 +347,26 @@ class ServiceAccount extends ServiceBase {
     return localDb.getDevice(dbDeviceId);
   }
 
+  @backgroundMethod()
+  async isKeylessWalletExistsLocal(): Promise<boolean> {
+    await timerUtils.wait(1500, { devOnly: true });
+    const { wallets } = await this.getAllWallets();
+    return wallets.some((wallet) => wallet.isKeyless);
+  }
+
+  @backgroundMethod()
+  async getKeylessWallet(): Promise<IDBWallet | undefined> {
+    await timerUtils.wait(1500, { devOnly: true });
+    const { wallets } = await localDb.getAllWallets();
+    const wallet = wallets.find((w) => w.isKeyless);
+    if (wallet) {
+      await localDb.refillWalletInfo({
+        wallet,
+      });
+    }
+    return wallet;
+  }
+
   async getAllWallets(
     params: { refillWalletInfo?: boolean; excludeKeylessWallet?: boolean } = {},
   ) {
@@ -402,12 +390,7 @@ class ServiceAccount extends ServiceBase {
     }
     // Filter out keyless wallets if excludeKeylessWallet is true
     if (excludeKeylessWallet) {
-      wallets = wallets.filter(
-        (wallet) =>
-          !accountUtils.isKeylessWallet({
-            walletId: wallet.id,
-          }),
-      );
+      // do nothing
     }
     return { wallets, allDevices };
   }
@@ -418,13 +401,7 @@ class ServiceAccount extends ServiceBase {
   }> {
     const r = await localDb.getWallets(options);
 
-    const wallets: IDBWallet[] = [];
-    for (const wallet of r.wallets) {
-      const shouldInclude = await this.shouldIncludeWalletButNotKeyless(wallet);
-      if (shouldInclude) {
-        wallets.push(wallet);
-      }
-    }
+    const wallets: IDBWallet[] = r.wallets;
 
     return {
       ...r,
@@ -3062,12 +3039,16 @@ class ServiceAccount extends ServiceBase {
     name,
     mnemonic,
     isWalletBackedUp,
+    isKeylessWallet,
     avatarInfo,
+    keylessDetailsInfo,
   }: {
     mnemonic: string;
     name?: string;
     isWalletBackedUp?: boolean;
+    isKeylessWallet?: boolean;
     avatarInfo?: IAvatarInfo;
+    keylessDetailsInfo?: import('../../dbs/local/types').IKeylessWalletDetailsInfo;
   }) {
     const { servicePassword } = this.backgroundApi;
     const { password } = await servicePassword.promptPasswordVerify({
@@ -3107,7 +3088,9 @@ class ServiceAccount extends ServiceBase {
       walletHash: walletHashAndXfp.hash,
       walletXfp: walletHashAndXfp.xfp,
       isWalletBackedUp,
+      isKeylessWallet,
       avatarInfo,
+      keylessDetailsInfo,
     });
   }
 
@@ -3153,6 +3136,8 @@ class ServiceAccount extends ServiceBase {
     walletHash,
     walletXfp,
     isWalletBackedUp,
+    isKeylessWallet,
+    keylessDetailsInfo,
   }: {
     rs: string;
     password: string;
@@ -3161,6 +3146,8 @@ class ServiceAccount extends ServiceBase {
     walletHash: string;
     walletXfp: string;
     isWalletBackedUp?: boolean;
+    isKeylessWallet?: boolean;
+    keylessDetailsInfo?: import('../../dbs/local/types').IKeylessWalletDetailsInfo;
   }): Promise<{
     wallet: IDBWallet;
     indexedAccount?: IDBIndexedAccount;
@@ -3216,6 +3203,8 @@ class ServiceAccount extends ServiceBase {
       name,
       walletHash,
       walletXfp,
+      isKeylessWallet,
+      keylessDetailsInfo,
     });
 
     await timerUtils.wait(100);
@@ -4220,9 +4209,7 @@ class ServiceAccount extends ServiceBase {
       [walletId: string]: { hash: string; xfp: string };
     } = {};
     for (const wallet of hdWallets) {
-      const isKeylessWallet = accountUtils.isKeylessWallet({
-        walletId: wallet.id,
-      });
+      const isKeylessWallet = wallet.isKeyless;
       if (isKeylessWallet) {
         // eslint-disable-next-line no-continue
         continue;
diff --git a/packages/kit-bg/src/services/ServiceCloudBackupV2/backupProviders/GoogleDriveBackupProvider.ts b/packages/kit-bg/src/services/ServiceCloudBackupV2/backupProviders/GoogleDriveBackupProvider.ts
index 259da2ab83d6..f4bf9a726192 100644
--- a/packages/kit-bg/src/services/ServiceCloudBackupV2/backupProviders/GoogleDriveBackupProvider.ts
+++ b/packages/kit-bg/src/services/ServiceCloudBackupV2/backupProviders/GoogleDriveBackupProvider.ts
@@ -142,18 +142,18 @@ export class GoogleDriveBackupProvider implements IOneKeyBackupProvider {
       // isCloudFsAvailable = await RNCloudFs.isAvailable();
 
       GoogleSignin.configure(GoogleSignInConfigure);
-      const isSignedIn = await GoogleSignin.isSignedIn();
-
-      // if (!isSignedIn) {
-      //   await GoogleSignin.signInSilently();
-      //   isSignedIn = await GoogleSignin.isSignedIn();
-      // }
-
-      if (isSignedIn) {
-        userInfo = await GoogleSignin.getCurrentUser();
-        email = userInfo?.user?.email || '';
-
-        // await RNCloudFs.loginIfNeeded();
+      const isPreviousSignedIn = GoogleSignin.hasPreviousSignIn();
+      if (isPreviousSignedIn) {
+        try {
+          const response = await GoogleSignin.signInSilently();
+          if (response.type === 'success') {
+            userInfo = GoogleSignin.getCurrentUser();
+            email = userInfo?.user?.email || '';
+          }
+        } catch (error) {
+          // signInSilently failed, return empty account info
+          console.log('GoogleSignin.signInSilently failed:', error);
+        }
       }
     }
 
diff --git a/packages/kit-bg/src/services/ServiceKeylessWallet/ServiceKeylessWallet.ts b/packages/kit-bg/src/services/ServiceKeylessWallet/ServiceKeylessWallet.ts
index 04df6de5fb87..c61179a60e67 100644
--- a/packages/kit-bg/src/services/ServiceKeylessWallet/ServiceKeylessWallet.ts
+++ b/packages/kit-bg/src/services/ServiceKeylessWallet/ServiceKeylessWallet.ts
@@ -1,6 +1,11 @@
 import { isEqual } from 'lodash';
 
-import { mnemonicToEntropy } from '@onekeyhq/core/src/secret';
+import {
+  decryptStringAsync,
+  encryptStringAsync,
+  generateMnemonic,
+  mnemonicToEntropy,
+} from '@onekeyhq/core/src/secret';
 import {
   backgroundClass,
   backgroundMethod,
@@ -8,30 +13,39 @@ import {
 } from '@onekeyhq/shared/src/background/backgroundDecorators';
 import type { ICloudBackupKeylessWalletPayload } from '@onekeyhq/shared/src/cloudBackup/cloudBackupTypes';
 import { ECloudBackupProviderType } from '@onekeyhq/shared/src/cloudBackup/cloudBackupTypes';
+import {
+  EOAuthSocialLoginProvider,
+  KEYLESS_SUPABASE_PROJECT_URL,
+  KEYLESS_SUPABASE_PUBLIC_API_KEY,
+} from '@onekeyhq/shared/src/consts/authConsts';
 import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
 import type { IOneKeyError } from '@onekeyhq/shared/src/errors/types/errorTypes';
 import type {
   IAuthKeyPack,
   ICloudKeyPack,
   IDeviceKeyPack,
+  IKeylessBackendShare,
+  IKeylessJuiceboxShare,
   IKeylessMnemonicInfo,
   IKeylessWalletPacks,
   IKeylessWalletRestoredData,
   IKeylessWalletUserInfo,
+  ISupabaseJWTPayload,
 } from '@onekeyhq/shared/src/keylessWallet/keylessWalletTypes';
 import keylessWalletUtils from '@onekeyhq/shared/src/keylessWallet/keylessWalletUtils';
 import shamirUtils from '@onekeyhq/shared/src/keylessWallet/shamirUtils';
 import { appLocale } from '@onekeyhq/shared/src/locale/appLocale';
 import { ETranslations } from '@onekeyhq/shared/src/locale/enum/translations';
+import { EOnboardingV2OneKeyIDLoginMode } from '@onekeyhq/shared/src/routes';
 import accountUtils from '@onekeyhq/shared/src/utils/accountUtils';
+import bufferUtils from '@onekeyhq/shared/src/utils/bufferUtils';
 import type { IAvatarInfo } from '@onekeyhq/shared/src/utils/emojiUtils';
 import { findMismatchedPaths } from '@onekeyhq/shared/src/utils/miscUtils';
 import stringUtils from '@onekeyhq/shared/src/utils/stringUtils';
 import timerUtils from '@onekeyhq/shared/src/utils/timerUtils';
-import { EServiceEndpointEnum } from '@onekeyhq/shared/types/endpoint';
 import type { IApiClientResponse } from '@onekeyhq/shared/types/endpoint';
+import { EServiceEndpointEnum } from '@onekeyhq/shared/types/endpoint';
 import { EPrimeTransferDataType } from '@onekeyhq/shared/types/prime/primeTransferTypes';
-import { EReasonForNeedPassword } from '@onekeyhq/shared/types/setting';
 
 import localDb from '../../dbs/local/localDb';
 import { keylessDialogAtom, primePersistAtom } from '../../states/jotai/atoms';
@@ -40,6 +54,8 @@ import ServiceBase from '../ServiceBase';
 
 import keylessAuthPackCache from './utils/keylessAuthPackCache';
 import keylessDeviceKeyStorage from './utils/keylessDeviceKeyStorage';
+import keylessMnemonicPasswordStorage from './utils/keylessMnemonicPasswordStorage';
+import keylessRefreshTokenStorage from './utils/keylessRefreshTokenStorage';
 
 import type { IDBIndexedAccount, IDBWallet } from '../../dbs/local/types';
 import type { IKeylessDialogAtomData } from '../../states/jotai/atoms';
@@ -141,6 +157,27 @@ class ServiceKeylessWallet extends ServiceBase {
     });
   }
 
+  /**
+   * Recover missing share using mnemonicPassword (base64) as the secret.
+   * This is used for Reset PIN flow where we have:
+   * - mnemonicPassword (stored locally)
+   * - backendShare (from server)
+   * And we need to recover juiceboxShare to upload with new PIN.
+   */
+  @backgroundMethod()
+  async recoverMissingShareFromSecret(params: {
+    secretBase64: string; // mnemonicPassword
+    shareBase64: string; // backendShare
+    missingX: number; // x-coordinate of juiceboxShare
+  }): Promise<string> {
+    const { secretBase64, shareBase64, missingX } = params;
+    return shamirUtils.recoverMissingShareFromSecret({
+      secretBase64,
+      shareBase64,
+      missingX,
+    });
+  }
+
   @backgroundMethod()
   async restoreMnemonicFromShareKey(params: {
     deviceKey?: string;
@@ -184,7 +221,6 @@ class ServiceKeylessWallet extends ServiceBase {
       restoreAuthPackFromServer: true,
     });
     if (!result?.packs?.mnemonic) {
-      // TODO i18n @franco 无法启用无私钥钱包
       throw new OneKeyLocalError('核验身份失败，无法启用您的无私钥钱包');
     }
     return {
@@ -1072,6 +1108,610 @@ class ServiceKeylessWallet extends ServiceBase {
       // do nothing
     }
   }
+
+  buildKeylessOwnerIdFromSocialToken(params: { token: string }): string {
+    const { token } = params;
+    const decodedToken = stringUtils.decodeJWT(token) as ISupabaseJWTPayload;
+    const provider = this.buildKeylessProviderFromSocialToken({ token });
+    const socialAccountId = decodedToken?.user_metadata?.sub || '';
+    return `${provider}--${socialAccountId}`;
+  }
+
+  buildKeylessProviderFromSocialToken(params: {
+    token: string;
+  }): EOAuthSocialLoginProvider {
+    const { token } = params;
+    const decodedToken = stringUtils.decodeJWT(token) as ISupabaseJWTPayload;
+
+    //  "app_metadata": {
+    //      "provider": "google",
+    //      "provider": "apple",
+    const provider = decodedToken?.app_metadata?.provider || '';
+    if (provider === 'google') {
+      return EOAuthSocialLoginProvider.Google;
+    }
+    if (provider === 'apple') {
+      return EOAuthSocialLoginProvider.Apple;
+    }
+
+    // "user_metadata": {
+    //    "iss": "https://accounts.google.com",
+    //    "iss": "https://appleid.apple.com",
+    const issuer = decodedToken?.user_metadata?.iss || '';
+    if (issuer === 'https://accounts.google.com') {
+      return EOAuthSocialLoginProvider.Google;
+    }
+    if (issuer === 'https://appleid.apple.com') {
+      return EOAuthSocialLoginProvider.Apple;
+    }
+
+    throw new OneKeyLocalError(
+      `Unsupported OAuth provider: ${provider}, ${issuer}`,
+    );
+  }
+
+  private async apiGetKeylessBackendShare(params: {
+    token: string;
+  }): Promise<IKeylessBackendShare | null> {
+    const { token } = params;
+
+    const client = await this.getClient(EServiceEndpointEnum.Prime);
+    const res = await client.post<IApiClientResponse<string>>(
+      '/prime/v1/keyless-wallet/getKeylessBackendShare',
+      {
+        token,
+      },
+    );
+
+    const isSuccess = res?.data?.code === 0 && res?.data?.message === 'success';
+    const backendShareStr = res?.data?.data;
+
+    // {"code":0,"message":"success","data":""}
+    if (isSuccess && backendShareStr === '') {
+      return null;
+    }
+
+    if (isSuccess && backendShareStr) {
+      try {
+        const result = JSON.parse(backendShareStr) as
+          | IKeylessBackendShare
+          | undefined;
+        if (result) {
+          return result;
+        }
+      } catch (e) {
+        throw new OneKeyLocalError('Failed to parse keyless backend share');
+      }
+    }
+    throw new OneKeyLocalError('Failed to get keyless backend share');
+  }
+
+  @backgroundMethod()
+  @toastIfError()
+  async apiResetKeylessBackendShare(params: {
+    token: string;
+  }): Promise<{ ok: boolean }> {
+    const devSettings = await devSettingsPersistAtom.get();
+    if (!devSettings.enabled) {
+      throw new OneKeyLocalError('Dev settings is not enabled');
+    }
+    const { token } = params;
+    const client = await this.getClient(EServiceEndpointEnum.Prime);
+    // /prime/v1/keyless-wallet/resetKeylessBackendShare
+    const res = await client.post<IApiClientResponse<{ ok: undefined }>>(
+      '/prime/v1/keyless-wallet/resetKeylessBackendShare',
+      {
+        token,
+      },
+    );
+
+    if (res?.data?.code === 0 && res?.data?.message === 'success') {
+      return { ok: true };
+    }
+
+    throw new OneKeyLocalError('Failed to reset keyless backend share');
+  }
+
+  @backgroundMethod()
+  @toastIfError()
+  async apiUploadKeylessBackendShare(params: {
+    token: string;
+    encryptedMnemonic: string;
+    backendShare: string;
+    juiceboxShareX: number;
+  }): Promise<IKeylessBackendShare> {
+    const { token, encryptedMnemonic, backendShare, juiceboxShareX } = params;
+    const ownerId = this.buildKeylessOwnerIdFromSocialToken({ token });
+    // TODO: Replace with real API call
+    // For now, save to mock cache
+    const backendShareData: IKeylessBackendShare = {
+      ownerId,
+      encryptedMnemonic, // TODO to base64
+      backendShare,
+      juiceboxShareX,
+    };
+
+    const client = await this.getClient(EServiceEndpointEnum.Prime);
+    const res = await client.post<IApiClientResponse<{ ok: boolean }>>(
+      '/prime/v1/keyless-wallet/createKeylessBackendShare',
+      {
+        token,
+        keylessBackendShare: JSON.stringify(backendShareData), // TODO encrypt
+      },
+    );
+
+    if (res?.data?.data?.ok === true) {
+      return backendShareData;
+    }
+
+    throw new OneKeyLocalError('Failed to upload keyless backend share');
+  }
+
+  private async apiGetKeylessJuiceboxShare(params: {
+    token: string;
+    pin: string;
+  }): Promise<IKeylessJuiceboxShare | null> {
+    const { token, pin } = params;
+
+    if (!token) {
+      throw new OneKeyLocalError('Missing token');
+    }
+
+    if (!pin) {
+      throw new OneKeyLocalError('Missing pin');
+    }
+
+    const ownerId = this.buildKeylessOwnerIdFromSocialToken({ token });
+
+    const { JuiceboxClient } = await import('./utils/JuiceboxClient');
+    const juiceboxClient = new JuiceboxClient();
+    await juiceboxClient.exchangeToken(token);
+    try {
+      const secret = await juiceboxClient.recover({
+        pin,
+        userInfo: ownerId,
+      });
+
+      const parts = secret.split('--');
+      const backendShareXStr = parts.pop();
+      if (!backendShareXStr) {
+        throw new OneKeyLocalError(
+          'Failed to get keyless juicebox share: backendShareXStr is empty',
+        );
+      }
+      const backendShareX = parseInt(backendShareXStr || '0', 10);
+      const juiceboxShare = parts.join('');
+      if (!juiceboxShare) {
+        throw new OneKeyLocalError(
+          'Failed to get keyless juicebox share: juiceboxShare is empty',
+        );
+      }
+      return {
+        ownerId,
+        pin,
+        juiceboxShare,
+        backendShareX,
+      };
+    } catch (_error) {
+      const error = _error as { guesses_remaining: number; reason: number };
+      console.error(_error);
+      throw _error;
+    }
+  }
+
+  @backgroundMethod()
+  @toastIfError()
+  async apiVerifyKeylessJuiceboxPin(params: {
+    token: string;
+    pin: string;
+    refreshToken?: string;
+    mode?: EOnboardingV2OneKeyIDLoginMode;
+  }) {
+    const { token, pin, refreshToken, mode } = params;
+    const ownerId = this.buildKeylessOwnerIdFromSocialToken({ token });
+
+    await this.apiGetKeylessJuiceboxShare({
+      token,
+      pin,
+    });
+
+    // Save refresh token to secure storage
+    if (
+      refreshToken &&
+      mode === EOnboardingV2OneKeyIDLoginMode.KeylessVerifyPinOnly
+    ) {
+      await keylessRefreshTokenStorage.saveRefreshTokenToStorage({
+        ownerId,
+        refreshToken,
+        backgroundApi: this.backgroundApi,
+      });
+    }
+  }
+
+  @backgroundMethod()
+  @toastIfError()
+  async apiUploadKeylessJuiceboxShare(params: {
+    token: string;
+    pin: string;
+    juiceboxShare: string;
+    backendShareX: number;
+  }): Promise<IKeylessJuiceboxShare> {
+    const { token, pin, juiceboxShare, backendShareX } = params;
+    const ownerId = this.buildKeylessOwnerIdFromSocialToken({ token });
+    // TODO: Replace with real API call
+    // exchange juicebox token from onekey auth server
+    // upload juicebox share to juicebox network
+    // For now, save to mock cache
+    const juiceboxShareData: IKeylessJuiceboxShare = {
+      ownerId,
+      pin,
+      juiceboxShare,
+      backendShareX,
+    };
+
+    const { JuiceboxClient } = await import('./utils/JuiceboxClient');
+    const juiceboxClient = new JuiceboxClient();
+    await juiceboxClient.exchangeToken(token);
+    try {
+      const secret = `${juiceboxShare}--${backendShareX}`;
+      await juiceboxClient.register({
+        pin,
+        secret,
+        userInfo: ownerId,
+      });
+    } catch (e) {
+      console.error(e);
+      throw e;
+    }
+
+    return juiceboxShareData;
+  }
+
+  /**
+   * Reset PIN for keyless wallet.
+   * This method:
+   * 1. Gets ownerId from social login token
+   * 2. Gets backendShare from server
+   * 3. Gets mnemonicPassword from secure storage
+   * 4. Recovers juiceboxShare using mnemonicPassword + backendShare
+   * 5. Uploads juiceboxShare with new PIN
+   */
+  @backgroundMethod()
+  @toastIfError()
+  async resetKeylessWalletPin(params: {
+    token: string | undefined;
+    refreshToken?: string | undefined;
+    newPin: string | undefined;
+  }) {
+    const { token, refreshToken, newPin } = params;
+    if (!token) {
+      throw new OneKeyLocalError('social login token is required');
+    }
+    if (!newPin) {
+      throw new OneKeyLocalError('new PIN is required');
+    }
+
+    // 1. Get ownerId from token
+    const ownerId = this.buildKeylessOwnerIdFromSocialToken({ token });
+
+    // 2. Get backendShare from server
+    const backendShareData = await this.apiGetKeylessBackendShare({ token });
+    if (!backendShareData) {
+      throw new OneKeyLocalError('Backend share not found');
+    }
+
+    // 3. Get mnemonicPassword from secure storage
+    const mnemonicPassword =
+      await keylessMnemonicPasswordStorage.getMnemonicPasswordFromStorage({
+        ownerId,
+        backgroundApi: this.backgroundApi,
+      });
+    if (!mnemonicPassword) {
+      throw new OneKeyLocalError(
+        'Mnemonic password not found in storage. Please restore the wallet first.',
+      );
+    }
+
+    // 4. Get x-coordinates from stored data
+    // juiceboxShareX is stored in backendShareData for recovery
+    const backendShareX = keylessWalletUtils.getShareXCoordinate(
+      backendShareData.backendShare,
+    );
+
+    // 5. Recover juiceboxShare using recoverMissingShareFromSecret
+    const juiceboxShare = await this.recoverMissingShareFromSecret({
+      secretBase64: mnemonicPassword,
+      shareBase64: backendShareData.backendShare,
+      missingX: backendShareData.juiceboxShareX,
+    });
+
+    // 6. Upload juiceboxShare with new PIN
+    await this.apiUploadKeylessJuiceboxShare({
+      token,
+      juiceboxShare,
+      pin: newPin,
+      backendShareX,
+    });
+
+    // Save refresh token to secure storage
+    if (refreshToken) {
+      await keylessRefreshTokenStorage.saveRefreshTokenToStorage({
+        ownerId,
+        refreshToken,
+        backgroundApi: this.backgroundApi,
+      });
+    }
+
+    return { success: true };
+  }
+
+  @backgroundMethod()
+  @toastIfError()
+  async restoreKeylessWalletFromServer(params: {
+    token: string | undefined;
+    refreshToken?: string | undefined;
+    pin: string | undefined;
+  }) {
+    const { token, refreshToken, pin } = params;
+    if (!token) {
+      throw new OneKeyLocalError('social login token is required');
+    }
+    if (!pin) {
+      throw new OneKeyLocalError('pin is required');
+    }
+
+    // check if keyless wallet is initialized
+    const ownerId = this.buildKeylessOwnerIdFromSocialToken({ token });
+
+    // Get backend share from server
+    const backendShareData = await this.apiGetKeylessBackendShare({ token });
+    if (!backendShareData) {
+      throw new OneKeyLocalError('Backend share not found');
+    }
+
+    // Get juicebox share from juicebox network
+    const juiceboxShareData = await this.apiGetKeylessJuiceboxShare({
+      token,
+      pin,
+    });
+    if (!juiceboxShareData) {
+      throw new OneKeyLocalError('Juicebox share not found');
+    }
+
+    // Combine shares to recover mnemonic password
+    const mnemonicPasswordShares = [
+      bufferUtils.base64ToBytes(backendShareData.backendShare),
+      bufferUtils.base64ToBytes(juiceboxShareData.juiceboxShare),
+    ];
+    const mnemonicPasswordBytes = await shamirUtils.combine(
+      mnemonicPasswordShares.map((s) => new Uint8Array(s)),
+    );
+    const mnemonicPassword = bufferUtils.bytesToBase64(mnemonicPasswordBytes);
+
+    // Decrypt mnemonic using recovered password
+    const mnemonic = await decryptStringAsync({
+      data: backendShareData.encryptedMnemonic,
+      dataEncoding: 'hex',
+      resultEncoding: 'utf-8',
+      password: mnemonicPassword,
+      allowRawPassword: true,
+      iterations: 600_000,
+    });
+
+    // Save mnemonicPassword to secure storage for Reset PIN flow
+    await keylessMnemonicPasswordStorage.saveMnemonicPasswordToStorage({
+      ownerId,
+      mnemonicPassword,
+      backgroundApi: this.backgroundApi,
+    });
+
+    // Save refresh token to secure storage
+    if (refreshToken) {
+      await keylessRefreshTokenStorage.saveRefreshTokenToStorage({
+        ownerId,
+        refreshToken,
+        backgroundApi: this.backgroundApi,
+      });
+    }
+
+    const keylessProvider = this.buildKeylessProviderFromSocialToken({ token });
+
+    return {
+      ownerId,
+      mnemonic: await this.backgroundApi.servicePassword.encodeSensitiveText({
+        text: mnemonic,
+      }),
+      keylessDetailsInfo: {
+        keylessOwnerId: ownerId,
+        keylessProvider,
+      },
+    };
+  }
+
+  @backgroundMethod()
+  @toastIfError()
+  async createKeylessWalletToServer(params: {
+    token: string | undefined;
+    refreshToken?: string | undefined;
+    pin: string | undefined;
+    customMnemonic?: string;
+  }) {
+    const { token, refreshToken, pin, customMnemonic } = params;
+    if (!token) {
+      throw new OneKeyLocalError('social login token is required');
+    }
+    if (!pin) {
+      throw new OneKeyLocalError('pin is required');
+    }
+    const ownerId = this.buildKeylessOwnerIdFromSocialToken({ token });
+    const isCreated = await this.isKeylessWalletCreatedOnServer({ token });
+    if (isCreated) {
+      throw new OneKeyLocalError('Keyless wallet already created');
+    }
+    let mnemonic = '';
+    const devSettings = await devSettingsPersistAtom.get();
+    if (devSettings.enabled && customMnemonic && customMnemonic.trim()) {
+      mnemonic = customMnemonic.trim();
+    } else {
+      mnemonic = generateMnemonic(256);
+    }
+    const mnemonicPasswordBytes = crypto.getRandomValues(new Uint8Array(32));
+    const mnemonicPassword = bufferUtils.bytesToBase64(mnemonicPasswordBytes);
+    const encryptedMnemonic: string = await encryptStringAsync({
+      data: mnemonic,
+      dataEncoding: 'utf-8',
+      password: mnemonicPassword,
+      allowRawPassword: true,
+      iterations: 600_000,
+    });
+    const mnemonicPasswordShares = await shamirUtils.split(
+      new Uint8Array(mnemonicPasswordBytes),
+      2,
+      2,
+    );
+    const [mnemonicPasswordShare1, mnemonicPasswordShare2] =
+      mnemonicPasswordShares;
+    const backendShare: string = bufferUtils.bytesToBase64(
+      mnemonicPasswordShare1,
+    );
+    const juiceboxShare: string = bufferUtils.bytesToBase64(
+      mnemonicPasswordShare2,
+    );
+
+    // Extract x-coordinates from shares
+    const backendShareX = keylessWalletUtils.getShareXCoordinate(backendShare);
+    const juiceboxShareX =
+      keylessWalletUtils.getShareXCoordinate(juiceboxShare);
+
+    // Save mnemonicPassword to secure storage for Reset PIN flow
+    await keylessMnemonicPasswordStorage.saveMnemonicPasswordToStorage({
+      ownerId,
+      mnemonicPassword,
+      backgroundApi: this.backgroundApi,
+    });
+    // TODO verify mnemonicPassword is saved successfully
+
+    // TODO lock server creation flow, avoid multiple clients creating new wallets at the same time
+
+    const _juiceboxShareData: IKeylessJuiceboxShare =
+      await this.apiUploadKeylessJuiceboxShare({
+        token,
+        juiceboxShare,
+        pin,
+        backendShareX, // Store the other share's x-coordinate for recovery
+      });
+    // TODO verify juiceboxShareData is valid
+
+    // make sure juiceboxShare is uploaded successfully before uploading backend share
+    const _backendShareData: IKeylessBackendShare =
+      await this.apiUploadKeylessBackendShare({
+        token,
+        encryptedMnemonic,
+        backendShare,
+        juiceboxShareX, // Store the other share's x-coordinate for recovery
+      });
+    // TODO verify backendShareData is valid
+
+    // Save refresh token to secure storage
+    if (refreshToken) {
+      await keylessRefreshTokenStorage.saveRefreshTokenToStorage({
+        ownerId,
+        refreshToken,
+        backgroundApi: this.backgroundApi,
+      });
+    }
+
+    const keylessProvider = this.buildKeylessProviderFromSocialToken({ token });
+
+    return {
+      ownerId,
+      mnemonic: await this.backgroundApi.servicePassword.encodeSensitiveText({
+        text: mnemonic,
+      }),
+      keylessDetailsInfo: {
+        keylessOwnerId: ownerId,
+        keylessProvider,
+      },
+    };
+    // TODO cleanup if error occurs
+  }
+
+  @backgroundMethod()
+  @toastIfError()
+  async isKeylessWalletCreatedOnServer(params: {
+    token: string;
+  }): Promise<boolean> {
+    const { token } = params;
+    const backendShareInfo = await this.apiGetKeylessBackendShare({
+      token,
+    });
+    const isCreated = !!backendShareInfo;
+    return isCreated;
+  }
+
+  /**
+   * Try to refresh access token using stored refreshToken.
+   * Returns new accessToken and refreshToken if refresh is successful, null otherwise.
+   */
+  @backgroundMethod()
+  @toastIfError()
+  async tryRefreshTokenFromStorage(params: { ownerId: string }): Promise<{
+    accessToken: string;
+    refreshToken: string;
+  } | null> {
+    const { ownerId } = params;
+    if (!ownerId) {
+      throw new OneKeyLocalError('ownerId is required');
+    }
+    try {
+      // 3. Get refreshToken from secure storage
+      const storedRefreshToken =
+        await keylessRefreshTokenStorage.getRefreshTokenFromStorage({
+          ownerId,
+          backgroundApi: this.backgroundApi,
+        });
+
+      if (!storedRefreshToken) {
+        return null;
+      }
+
+      // 4. Call Supabase HTTP API to refresh token
+      const refreshUrl = `${KEYLESS_SUPABASE_PROJECT_URL}/auth/v1/token?grant_type=refresh_token`;
+      const response = await fetch(refreshUrl, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          // eslint-disable-next-line spellcheck/spell-checker
+          apikey: KEYLESS_SUPABASE_PUBLIC_API_KEY,
+        },
+        body: JSON.stringify({
+          refresh_token: storedRefreshToken,
+        }),
+      });
+
+      if (!response.ok) {
+        return null;
+      }
+
+      const refreshResult = (await response.json()) as {
+        access_token?: string;
+        refresh_token?: string;
+      };
+
+      if (refreshResult?.access_token && refreshResult?.refresh_token) {
+        return {
+          accessToken: refreshResult.access_token,
+          refreshToken: refreshResult.refresh_token,
+        };
+      }
+
+      return null;
+    } catch (error) {
+      // Silently fail - return null if any error occurs
+      console.error('Failed to refresh token from storage:', error);
+      return null;
+    }
+  }
 }
 
 export default ServiceKeylessWallet;
diff --git a/packages/kit-bg/src/services/ServiceKeylessWallet/utils/JuiceboxClient.ts b/packages/kit-bg/src/services/ServiceKeylessWallet/utils/JuiceboxClient.ts
new file mode 100644
index 000000000000..98f79a662bbd
--- /dev/null
+++ b/packages/kit-bg/src/services/ServiceKeylessWallet/utils/JuiceboxClient.ts
@@ -0,0 +1,231 @@
+import axios from 'axios';
+import { isNil } from 'lodash';
+
+import {
+  JUICEBOX_ALLOWED_GUESSES,
+  JUICEBOX_AUTH_SERVER,
+  JUICEBOX_CONFIG,
+} from '@onekeyhq/shared/src/consts/authConsts';
+import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
+import bufferUtils from '@onekeyhq/shared/src/utils/bufferUtils';
+import type { IApiClientResponse } from '@onekeyhq/shared/types/endpoint';
+
+import { Client, Configuration } from './juicebox-sdk';
+
+/**
+ * JuiceboxClient - Wrapper for juicebox-sdk to handle keyless wallet shares
+ *
+ * This class provides methods to register and recover shares in the Juicebox network.
+ * It handles token management, caching, and error handling internally.
+ */
+export class JuiceboxClient {
+  // Private properties
+
+  private juiceboxTokenCache: Map<string, string>; // realmId (hex) -> JWT token
+
+  private client: Client; // Client from juicebox-sdk
+
+  /**
+   * Constructor
+   * @param backgroundApi - Background API instance to access OneKeyID tokens
+   */
+  constructor() {
+    this.juiceboxTokenCache = new Map<string, string>();
+
+    // Set global callback for juicebox-sdk
+    // @ts-ignore
+    globalThis.JuiceboxGetAuthToken = (realmId: Uint8Array) =>
+      this.getAuthTokenForRealm(realmId);
+
+    // Create internal Client instance from juicebox-sdk
+    this.client = new Client(new Configuration(JUICEBOX_CONFIG), []);
+  }
+
+  /**
+   * Exchange Supabase token for Juicebox tokens for all realms
+   * This method must be called before register() or recover()
+   *
+   * @param supabaseAccessToken - Supabase access token for authentication
+   * @returns Promise<void> - Resolves when all tokens are cached
+   * @throws {OneKeyLocalError} - If token exchange fails
+   */
+  async exchangeToken(supabaseAccessToken: string): Promise<void> {
+    if (!supabaseAccessToken) {
+      throw new OneKeyLocalError('Supabase access token is required');
+    }
+
+    const tokenUrl = `${JUICEBOX_AUTH_SERVER}/juicebox/v1/token/realms`;
+
+    const response = await axios.post<
+      IApiClientResponse<{
+        tokens: Record<string, string>;
+      }>
+    >(tokenUrl, {
+      token: supabaseAccessToken,
+    });
+    const resData = response?.data;
+    if (resData?.code === 0 && resData?.data?.tokens) {
+      const realmTokens = resData?.data?.tokens;
+      // Validate response format
+      if (!realmTokens || typeof realmTokens !== 'object') {
+        throw new OneKeyLocalError(
+          'Invalid response format: expected object with realm tokens',
+        );
+      }
+
+      // Cache all realm tokens
+      for (const [realmId, token] of Object.entries(realmTokens)) {
+        if (!token) {
+          throw new OneKeyLocalError(
+            `Invalid response format: missing token for realm ${realmId}`,
+          );
+        }
+        this.juiceboxTokenCache.set(realmId, token);
+      }
+
+      // Verify all configured realms have tokens
+      for (const realm of JUICEBOX_CONFIG.realms) {
+        if (!this.juiceboxTokenCache.has(realm.id)) {
+          throw new OneKeyLocalError(
+            `Missing token for configured realm: ${realm.id}`,
+          );
+        }
+      }
+    } else {
+      throw new OneKeyLocalError(
+        `Get Juicebox Token Error: ${resData?.code} ${resData?.message}`,
+      );
+    }
+  }
+
+  /**
+   * Register a share with PIN and userInfo in the Juicebox network
+   *
+   * @param pin - User PIN (string)
+   * @param secret - Share data to store (utf8 string, will be decoded to Uint8Array)
+   * @param userInfo - User identifier, typically ownerId (string)
+   * @returns Promise<void> - Resolves when registration is successful
+   * @throws {OneKeyLocalError} - If registration fails or juiceboxTokenCache is empty
+   * @throws {RegisterError} - SDK-specific registration errors
+   */
+  async register(params: {
+    // TODO In the future, prefix with server user salt before using to enhance security.
+    pin: string;
+    secret: string; // utf8 string
+    userInfo: string; // ownerId
+  }): Promise<void> {
+    const { pin, secret, userInfo } = params;
+
+    // Validate token cache is not empty
+    if (this.juiceboxTokenCache.size === 0) {
+      throw new OneKeyLocalError(
+        'Juicebox token cache is empty, please call exchangeToken first',
+      );
+    }
+
+    // Convert strings to Uint8Array
+    const pinBytes = bufferUtils.utf8ToBytes(pin);
+    const secretBytes = bufferUtils.utf8ToBytes(secret);
+    // TODO add juicebox token subject (sub) as prefix to userInfo, like: sub:${userInfo}
+    const userInfoBytes = bufferUtils.utf8ToBytes(userInfo);
+
+    // Call SDK register method
+    await this.client.register(
+      pinBytes,
+      secretBytes, // secret exceeds the maximum of 128 bytes
+      userInfoBytes,
+      JUICEBOX_ALLOWED_GUESSES,
+    );
+
+    // Clear token cache after successful registration
+    this.clearTokenCache();
+  }
+
+  /**
+   * Recover a share from the Juicebox network using PIN and userInfo
+   *
+   * @param pin - User PIN (string)
+   * @param userInfo - User identifier, typically ownerId (string)
+   * @returns Promise<string> - Recovered share data as utf8 string
+   * @throws {OneKeyLocalError} - If recovery fails or juiceboxTokenCache is empty
+   * @throws {RecoverError} - SDK-specific recovery errors
+   */
+  async recover(params: {
+    pin: string;
+    userInfo: string; // ownerId
+  }): Promise<string> {
+    try {
+      const { pin, userInfo } = params;
+
+      // Validate token cache is not empty
+      if (this.juiceboxTokenCache.size === 0) {
+        throw new OneKeyLocalError(
+          'Juicebox token cache is empty, please call exchangeToken first',
+        );
+      }
+
+      // Convert strings to Uint8Array
+      const pinBytes = bufferUtils.utf8ToBytes(pin);
+      const userInfoBytes = bufferUtils.utf8ToBytes(userInfo);
+
+      // Call SDK recover method
+      const recoveredSecret: Uint8Array = await this.client.recover(
+        pinBytes,
+        userInfoBytes,
+      );
+
+      if (!recoveredSecret?.length) {
+        throw new OneKeyLocalError('Recovery failed: Empty secret.');
+      }
+
+      // Convert recovered Uint8Array back to utf8 string
+      const secretUtf8 = bufferUtils.bytesToUtf8(recoveredSecret);
+
+      // Clear token cache after successful recovery
+      this.clearTokenCache();
+
+      return secretUtf8;
+    } catch (e) {
+      const error = e as
+        | { guesses_remaining: number; reason: number }
+        | undefined;
+      if (!isNil(error?.guesses_remaining)) {
+        throw new OneKeyLocalError(
+          `Incorrect PIN, you have ${error?.guesses_remaining} guesses remaining`,
+        );
+      }
+      throw e;
+    }
+  }
+
+  /**
+   * Get authentication token for a specific realm
+   * This method is called by the global JuiceboxGetAuthToken callback
+   *
+   * @param realmId - Realm ID as Uint8Array (from juicebox-sdk)
+   * @returns Promise<string> - JWT token for the realm
+   * @throws {OneKeyLocalError} - If token not found in cache
+   */
+  private async getAuthTokenForRealm(realmId: Uint8Array): Promise<string> {
+    // Convert realmId to hex string
+    const realmIdHex = bufferUtils.bytesToHex(realmId);
+
+    // Get token from cache
+    const token = this.juiceboxTokenCache.get(realmIdHex);
+    if (!token) {
+      throw new OneKeyLocalError(
+        'Juicebox token not found, please call exchangeToken first',
+      );
+    }
+
+    return token;
+  }
+
+  /**
+   * Clear all cached tokens
+   * Useful for logout scenarios or when tokens need to be refreshed
+   */
+  clearTokenCache(): void {
+    this.juiceboxTokenCache.clear();
+  }
+}
diff --git a/packages/kit-bg/src/services/ServiceKeylessWallet/utils/juicebox-sdk.native.ts b/packages/kit-bg/src/services/ServiceKeylessWallet/utils/juicebox-sdk.native.ts
new file mode 100644
index 000000000000..3bdcc19186b1
--- /dev/null
+++ b/packages/kit-bg/src/services/ServiceKeylessWallet/utils/juicebox-sdk.native.ts
@@ -0,0 +1,70 @@
+/* eslint-disable max-classes-per-file */
+import NativeSDK, {
+  type Authentication,
+  type Configuration as NativeConfiguration,
+  type PinHashingMode,
+  type Realm,
+} from '@phantom/react-native-juicebox-sdk';
+
+import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
+import bufferUtils from '@onekeyhq/shared/src/utils/bufferUtils';
+
+export class Configuration implements NativeConfiguration {
+  realms: Realm[];
+
+  register_threshold: number;
+
+  recover_threshold: number;
+
+  pin_hashing_mode: PinHashingMode;
+
+  constructor(config: NativeConfiguration) {
+    this.realms = config.realms;
+    this.register_threshold = config.register_threshold;
+    this.recover_threshold = config.recover_threshold;
+    this.pin_hashing_mode = config.pin_hashing_mode;
+  }
+}
+
+export class Client {
+  config: Configuration;
+
+  constructor(config: Configuration, _ignored?: any[]) {
+    this.config = config;
+  }
+
+  async register(
+    pin: Uint8Array,
+    secret: Uint8Array,
+    userInfo: Uint8Array,
+    guesses: number,
+  ): Promise<void> {
+    const auth = await this.getAuthentication();
+    await NativeSDK.register(this.config, auth, pin, secret, userInfo, guesses);
+  }
+
+  async recover(pin: Uint8Array, userInfo: Uint8Array): Promise<Uint8Array> {
+    const auth = await this.getAuthentication();
+    return NativeSDK.recover(this.config, auth, pin, userInfo);
+  }
+
+  private async getAuthentication(): Promise<Authentication> {
+    const auth: Authentication = {};
+
+    // Get callback from global
+    // @ts-ignore
+    // eslint-disable-next-line
+    const getAuthToken = globalThis.JuiceboxGetAuthToken as (realmId: Uint8Array) => Promise<string>;
+    if (!getAuthToken) {
+      throw new OneKeyLocalError('JuiceboxGetAuthToken not set');
+    }
+
+    for (const realm of this.config.realms) {
+      // Convert hex id to bytes for callback
+      const realmIdBytes = bufferUtils.hexToBytes(realm.id);
+      const token = await getAuthToken(realmIdBytes);
+      auth[realm.id] = token;
+    }
+    return auth;
+  }
+}
diff --git a/packages/kit-bg/src/services/ServiceKeylessWallet/utils/juicebox-sdk.ts b/packages/kit-bg/src/services/ServiceKeylessWallet/utils/juicebox-sdk.ts
new file mode 100644
index 000000000000..61527eac9628
--- /dev/null
+++ b/packages/kit-bg/src/services/ServiceKeylessWallet/utils/juicebox-sdk.ts
@@ -0,0 +1 @@
+export { Client, Configuration } from 'juicebox-sdk';
diff --git a/packages/kit-bg/src/services/ServiceKeylessWallet/utils/keylessMnemonicPasswordStorage.ts b/packages/kit-bg/src/services/ServiceKeylessWallet/utils/keylessMnemonicPasswordStorage.ts
new file mode 100644
index 000000000000..f992a17515c5
--- /dev/null
+++ b/packages/kit-bg/src/services/ServiceKeylessWallet/utils/keylessMnemonicPasswordStorage.ts
@@ -0,0 +1,133 @@
+import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
+import appStorage from '@onekeyhq/shared/src/storage/appStorage';
+import accountUtils from '@onekeyhq/shared/src/utils/accountUtils';
+import bufferUtils from '@onekeyhq/shared/src/utils/bufferUtils';
+
+import { buildKeylessLocalEncryptionKey } from './keylessLocalEncryptionKey';
+
+import type { IBackgroundApi } from '../../../apis/IBackgroundApi';
+
+async function storageSetItem(key: string, encryptedPayloadBase64: string) {
+  const isSecureStorageSupported =
+    await appStorage.secureStorage.supportSecureStorage();
+  if (isSecureStorageSupported) {
+    await appStorage.secureStorage.setSecureItem(key, encryptedPayloadBase64);
+  } else {
+    await appStorage.setItem(key, encryptedPayloadBase64);
+  }
+}
+
+async function storageGetItem(key: string): Promise<string | null> {
+  const isSecureStorageSupported =
+    await appStorage.secureStorage.supportSecureStorage();
+  if (isSecureStorageSupported) {
+    return appStorage.secureStorage.getSecureItem(key);
+  }
+  return appStorage.getItem(key);
+}
+
+async function storageRemoveItem(key: string): Promise<void> {
+  const isSecureStorageSupported =
+    await appStorage.secureStorage.supportSecureStorage();
+  if (isSecureStorageSupported) {
+    await appStorage.secureStorage.removeSecureItem(key);
+  } else {
+    await appStorage.removeItem(key);
+  }
+}
+
+/**
+ * Save mnemonicPassword to local storage with encryption.
+ * This is used for Reset PIN flow to recover juicebox share.
+ */
+async function saveMnemonicPasswordToStorage(params: {
+  ownerId: string;
+  mnemonicPassword: string;
+  backgroundApi: IBackgroundApi;
+}): Promise<void> {
+  const { ownerId, mnemonicPassword, backgroundApi } = params;
+
+  // 1. Build unique key for this ownerId
+  const key = accountUtils.buildKeylessMnemonicPasswordKey({ ownerId });
+
+  // 2. Encrypt with encryption key
+  const encryptionKey = await buildKeylessLocalEncryptionKey({ backgroundApi });
+
+  const encryptedPayloadHex = await backgroundApi.servicePassword.encryptString(
+    {
+      password: encryptionKey,
+      data: mnemonicPassword,
+      dataEncoding: 'utf8',
+      allowRawPassword: true,
+    },
+  );
+
+  // Convert hex to base64 for storage
+  const encryptedPayloadBase64 = bufferUtils.bytesToBase64(
+    bufferUtils.hexToBytes(encryptedPayloadHex),
+  );
+
+  // 3. Store encrypted data, prefer secureStorage if available
+  await storageSetItem(key, encryptedPayloadBase64);
+}
+
+/**
+ * Get mnemonicPassword from local storage and decrypt it.
+ */
+async function getMnemonicPasswordFromStorage(params: {
+  ownerId: string;
+  backgroundApi: IBackgroundApi;
+}): Promise<string | null> {
+  const { ownerId, backgroundApi } = params;
+
+  // 1. Build unique key for this ownerId
+  const key = accountUtils.buildKeylessMnemonicPasswordKey({ ownerId });
+
+  // 2. Read encrypted data from storage
+  const encryptedPayloadBase64 = await storageGetItem(key);
+
+  if (!encryptedPayloadBase64) {
+    return null;
+  }
+
+  // 3. Decrypt with encryption key
+  const decryptionKey = await buildKeylessLocalEncryptionKey({ backgroundApi });
+
+  try {
+    const mnemonicPassword = await backgroundApi.servicePassword.decryptString({
+      password: decryptionKey,
+      data: encryptedPayloadBase64,
+      dataEncoding: 'base64',
+      resultEncoding: 'utf8',
+      allowRawPassword: true,
+    });
+    return mnemonicPassword;
+  } catch (error) {
+    throw new OneKeyLocalError(
+      `Failed to decrypt mnemonicPassword: invalid password or corrupted data: ${
+        (error as Error)?.message
+      }`,
+    );
+  }
+}
+
+/**
+ * Remove mnemonicPassword from local storage.
+ */
+async function removeMnemonicPasswordFromStorage(params: {
+  ownerId: string;
+}): Promise<void> {
+  const { ownerId } = params;
+
+  // 1. Build unique key for this ownerId
+  const key = accountUtils.buildKeylessMnemonicPasswordKey({ ownerId });
+
+  // 2. Remove encrypted data from storage
+  await storageRemoveItem(key);
+}
+
+export default {
+  saveMnemonicPasswordToStorage,
+  getMnemonicPasswordFromStorage,
+  removeMnemonicPasswordFromStorage,
+};
diff --git a/packages/kit-bg/src/services/ServiceKeylessWallet/utils/keylessRefreshTokenStorage.ts b/packages/kit-bg/src/services/ServiceKeylessWallet/utils/keylessRefreshTokenStorage.ts
new file mode 100644
index 000000000000..66c96870c724
--- /dev/null
+++ b/packages/kit-bg/src/services/ServiceKeylessWallet/utils/keylessRefreshTokenStorage.ts
@@ -0,0 +1,137 @@
+import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
+import appStorage from '@onekeyhq/shared/src/storage/appStorage';
+import accountUtils from '@onekeyhq/shared/src/utils/accountUtils';
+import bufferUtils from '@onekeyhq/shared/src/utils/bufferUtils';
+
+import { buildKeylessLocalEncryptionKey } from './keylessLocalEncryptionKey';
+
+import type { IBackgroundApi } from '../../../apis/IBackgroundApi';
+
+async function storageSetItem(key: string, encryptedPayloadBase64: string) {
+  const isSecureStorageSupported =
+    await appStorage.secureStorage.supportSecureStorage();
+  if (isSecureStorageSupported) {
+    await appStorage.secureStorage.setSecureItem(key, encryptedPayloadBase64);
+  } else {
+    await appStorage.setItem(key, encryptedPayloadBase64);
+  }
+}
+
+async function storageGetItem(key: string): Promise<string | null> {
+  const isSecureStorageSupported =
+    await appStorage.secureStorage.supportSecureStorage();
+  if (isSecureStorageSupported) {
+    return appStorage.secureStorage.getSecureItem(key);
+  }
+  return appStorage.getItem(key);
+}
+
+async function storageRemoveItem(key: string): Promise<void> {
+  const isSecureStorageSupported =
+    await appStorage.secureStorage.supportSecureStorage();
+  if (isSecureStorageSupported) {
+    await appStorage.secureStorage.removeSecureItem(key);
+  } else {
+    await appStorage.removeItem(key);
+  }
+}
+
+/**
+ * Save refreshToken to local storage with passcode encryption.
+ * The refreshToken is encrypted using the user's passcode via buildKeylessLocalEncryptionKey.
+ * This is used for refreshing access tokens.
+ */
+async function saveRefreshTokenToStorage(params: {
+  ownerId: string;
+  refreshToken: string;
+  backgroundApi: IBackgroundApi;
+}): Promise<void> {
+  const { ownerId, refreshToken, backgroundApi } = params;
+
+  // 1. Build unique key for this ownerId
+  const key = accountUtils.buildKeylessRefreshTokenKey({ ownerId });
+
+  // 2. Encrypt with passcode-based encryption key
+  // buildKeylessLocalEncryptionKey will prompt for passcode and combine it with sensitiveEncodeKey
+  const encryptionKey = await buildKeylessLocalEncryptionKey({ backgroundApi });
+
+  const encryptedPayloadHex = await backgroundApi.servicePassword.encryptString(
+    {
+      password: encryptionKey,
+      data: refreshToken,
+      dataEncoding: 'utf8',
+      allowRawPassword: true,
+    },
+  );
+
+  // Convert hex to base64 for storage
+  const encryptedPayloadBase64 = bufferUtils.bytesToBase64(
+    bufferUtils.hexToBytes(encryptedPayloadHex),
+  );
+
+  // 3. Store encrypted data, prefer secureStorage if available
+  await storageSetItem(key, encryptedPayloadBase64);
+}
+
+/**
+ * Get refreshToken from local storage and decrypt it.
+ * Requires user passcode to decrypt the refreshToken.
+ */
+async function getRefreshTokenFromStorage(params: {
+  ownerId: string;
+  backgroundApi: IBackgroundApi;
+}): Promise<string | null> {
+  const { ownerId, backgroundApi } = params;
+
+  // 1. Build unique key for this ownerId
+  const key = accountUtils.buildKeylessRefreshTokenKey({ ownerId });
+
+  // 2. Read encrypted data from storage
+  const encryptedPayloadBase64 = await storageGetItem(key);
+
+  if (!encryptedPayloadBase64) {
+    return null;
+  }
+
+  // 3. Decrypt with passcode-based encryption key
+  // buildKeylessLocalEncryptionKey will prompt for passcode to decrypt
+  const decryptionKey = await buildKeylessLocalEncryptionKey({ backgroundApi });
+
+  try {
+    const refreshToken = await backgroundApi.servicePassword.decryptString({
+      password: decryptionKey,
+      data: encryptedPayloadBase64,
+      dataEncoding: 'base64',
+      resultEncoding: 'utf8',
+      allowRawPassword: true,
+    });
+    return refreshToken;
+  } catch (error) {
+    throw new OneKeyLocalError(
+      `Failed to decrypt refreshToken: invalid password or corrupted data: ${
+        (error as Error)?.message
+      }`,
+    );
+  }
+}
+
+/**
+ * Remove refreshToken from local storage.
+ */
+async function removeRefreshTokenFromStorage(params: {
+  ownerId: string;
+}): Promise<void> {
+  const { ownerId } = params;
+
+  // 1. Build unique key for this ownerId
+  const key = accountUtils.buildKeylessRefreshTokenKey({ ownerId });
+
+  // 2. Remove encrypted data from storage
+  await storageRemoveItem(key);
+}
+
+export default {
+  saveRefreshTokenToStorage,
+  getRefreshTokenFromStorage,
+  removeRefreshTokenFromStorage,
+};
diff --git a/packages/kit-bg/src/services/ServicePassword/index.ts b/packages/kit-bg/src/services/ServicePassword/index.ts
index 394c452ada5c..e89d00af4e0a 100644
--- a/packages/kit-bg/src/services/ServicePassword/index.ts
+++ b/packages/kit-bg/src/services/ServicePassword/index.ts
@@ -249,6 +249,11 @@ export default class ServicePassword extends ServiceBase {
     return this.cachedPassword;
   }
 
+  @backgroundMethod()
+  async hasCachedPassword(): Promise<boolean> {
+    return !!this.cachedPassword;
+  }
+
   @backgroundMethod()
   async getCachedPasswordOrDeviceParams({ walletId }: { walletId: string }) {
     const isHardware = accountUtils.isHwWallet({ walletId });
diff --git a/packages/kit-bg/src/services/ServicePrimeTransfer/ServicePrimeTransfer.ts b/packages/kit-bg/src/services/ServicePrimeTransfer/ServicePrimeTransfer.ts
index 30ca0c9ad2b5..1a3818c6697f 100644
--- a/packages/kit-bg/src/services/ServicePrimeTransfer/ServicePrimeTransfer.ts
+++ b/packages/kit-bg/src/services/ServicePrimeTransfer/ServicePrimeTransfer.ts
@@ -880,12 +880,7 @@ class ServicePrimeTransfer extends ServiceBase {
     const { wallets } = await serviceAccount.getWallets();
 
     // Filter out keyless wallets
-    const filteredWallets = wallets.filter(
-      (wallet) =>
-        !accountUtils.isKeylessWallet({
-          walletId: wallet.id,
-        }),
-    );
+    const filteredWallets = wallets.filter((wallet) => !wallet.isKeyless);
 
     const walletAccountMap = filteredWallets.reduce((summary, current) => {
       summary[current.id] = current;
@@ -1001,17 +996,14 @@ class ServicePrimeTransfer extends ServiceBase {
         // eslint-disable-next-line no-continue
         continue;
       }
-      // Skip accounts belonging to keyless wallets
-      if (
-        accountUtils.isKeylessWallet({
-          walletId,
-        })
-      ) {
-        // eslint-disable-next-line no-continue
-        continue;
-      }
+
       const wallet = walletAccountMap[walletId];
       if (wallet) {
+        // Skip accounts belonging to keyless wallets
+        if (wallet?.isKeyless) {
+          // eslint-disable-next-line no-continue
+          continue;
+        }
         const getNetworkAccountInfo = async () => {
           let networkAccount: INetworkAccount | undefined;
           const networkId = await serviceAccount.getAccountCreatedNetworkId({
diff --git a/packages/kit-bg/src/vaults/base/KeyringSoftwareBase.ts b/packages/kit-bg/src/vaults/base/KeyringSoftwareBase.ts
index ad18c7936645..7bc6429d053e 100644
--- a/packages/kit-bg/src/vaults/base/KeyringSoftwareBase.ts
+++ b/packages/kit-bg/src/vaults/base/KeyringSoftwareBase.ts
@@ -55,11 +55,8 @@ export abstract class KeyringSoftwareBase extends KeyringBase {
 
     // hd
     if (this.isKeyringHd()) {
-      if (
-        accountUtils.isKeylessWallet({
-          walletId: checkIsDefined(this.walletId),
-        })
-      ) {
+      const isKeyless = false;
+      if (isKeyless) {
         const { mnemonic } =
           await this.backgroundApi.serviceKeylessWallet.revealKeylessWalletMnemonic(
             {
diff --git a/packages/kit/src/components/HyperlinkText/index.tsx b/packages/kit/src/components/HyperlinkText/index.tsx
index 2eb23f2dce5d..9307e4a7e600 100644
--- a/packages/kit/src/components/HyperlinkText/index.tsx
+++ b/packages/kit/src/components/HyperlinkText/index.tsx
@@ -36,9 +36,15 @@ export type IHyperlinkTextProps = {
   scoped?: boolean;
 } & ISizableTextProps;
 
-const defaultIntl = createIntl({
-  locale: '',
-});
+let defaultIntl: ReturnType<typeof createIntl> | undefined;
+function getDefaultIntl() {
+  if (!defaultIntl) {
+    defaultIntl = createIntl({
+      locale: '',
+    });
+  }
+  return defaultIntl;
+}
 
 export function HyperlinkText({
   translationId,
@@ -70,7 +76,7 @@ export function HyperlinkText({
     [basicTextProps.fontSize, basicTextProps.size],
   );
 
-  const theIntl = scoped ? defaultIntl : intl;
+  const theIntl = scoped ? getDefaultIntl() : intl;
 
   const text = useMemo(
     () =>
diff --git a/packages/kit/src/components/KeylessWallet/useKeylessWallet.tsx b/packages/kit/src/components/KeylessWallet/useKeylessWallet.tsx
index f231d7eac96a..8425f2c23fa7 100644
--- a/packages/kit/src/components/KeylessWallet/useKeylessWallet.tsx
+++ b/packages/kit/src/components/KeylessWallet/useKeylessWallet.tsx
@@ -4,14 +4,21 @@ import { useIntl } from 'react-intl';
 
 import { Dialog } from '@onekeyhq/components';
 import { primePersistAtom } from '@onekeyhq/kit-bg/src/states/jotai/atoms';
-import { useDevSettingsPersistAtom } from '@onekeyhq/kit-bg/src/states/jotai/atoms/devSettings';
+import {
+  devSettingsPersistAtom,
+  useDevSettingsPersistAtom,
+} from '@onekeyhq/kit-bg/src/states/jotai/atoms/devSettings';
+import type { EOAuthSocialLoginProvider } from '@onekeyhq/shared/src/consts/authConsts';
 import { EPrimeEmailOTPScene } from '@onekeyhq/shared/src/consts/primeConsts';
 import {
   OneKeyLocalError,
   PrimeSendEmailOTPCancelError,
 } from '@onekeyhq/shared/src/errors';
 import errorToastUtils from '@onekeyhq/shared/src/errors/utils/errorToastUtils';
-import { EKeylessWalletEnableScene } from '@onekeyhq/shared/src/keylessWallet/keylessWalletConsts';
+import {
+  EKeylessFinalizeAction,
+  EKeylessWalletEnableScene,
+} from '@onekeyhq/shared/src/keylessWallet/keylessWalletConsts';
 import type {
   IAuthKeyPack,
   ICloudKeyPack,
@@ -22,22 +29,38 @@ import { EModalRoutes, ERootRoutes } from '@onekeyhq/shared/src/routes';
 import {
   EOnboardingPagesV2,
   EOnboardingV2KeylessWalletCreationMode,
+  EOnboardingV2OneKeyIDLoginMode,
   EOnboardingV2Routes,
 } from '@onekeyhq/shared/src/routes/onboardingv2';
 import { EPrimePages } from '@onekeyhq/shared/src/routes/prime';
+import cacheUtils from '@onekeyhq/shared/src/utils/cacheUtils';
+import timerUtils from '@onekeyhq/shared/src/utils/timerUtils';
 import { EPrimeTransferDataType } from '@onekeyhq/shared/types/prime/primeTransferTypes';
 
 import backgroundApiProxy from '../../background/instance/backgroundApiProxy';
 import useAppNavigation from '../../hooks/useAppNavigation';
+import { usePromiseResult } from '../../hooks/usePromiseResult';
 import { useAccountSelectorActions } from '../../states/jotai/contexts/accountSelector';
 import { useOneKeyAuth } from '../OneKeyAuth/useOneKeyAuth';
 
 export function useKeylessWalletFeatureIsEnabled(): boolean {
-  const [devSettings] = useDevSettingsPersistAtom();
-  return (
-    devSettings.enabled &&
-    devSettings.settings?.isKeylessWalletFeatureEnabled === true
-  );
+  // const [devSettings] = useDevSettingsPersistAtom();
+  // return (
+  //   devSettings.enabled &&
+  //   devSettings.settings?.isKeylessWalletFeatureEnabled === true
+  // );
+  return true;
+}
+
+export function useKeylessWalletExistsLocal(): boolean {
+  const isKeylessWalletEnabled = useKeylessWalletFeatureIsEnabled();
+  const { result } = usePromiseResult(async () => {
+    if (!isKeylessWalletEnabled) {
+      return false;
+    }
+    return backgroundApiProxy.serviceAccount.isKeylessWalletExistsLocal();
+  }, [isKeylessWalletEnabled]);
+  return result ?? false;
 }
 
 export function useKeylessWalletMethods() {
@@ -270,10 +293,109 @@ export function useKeylessWalletMethods() {
   };
 }
 
+export const keylessOnboardingCache = new cacheUtils.LRUCache<string, string>({
+  max: 1000,
+  ttl: timerUtils.getTimeDurationMs({ minute: 3 }),
+  ttlAutopurge: true,
+});
+
+async function keylessOnboardingCacheGetAndDelete(
+  key: string,
+  options: {
+    skipDelete?: boolean;
+  } = {},
+) {
+  const token = keylessOnboardingCache.get(key);
+  if (!options?.skipDelete) {
+    keylessOnboardingCache.delete(key);
+  }
+  if (!token) {
+    return '';
+  }
+  return backgroundApiProxy.servicePassword.decodeSensitiveText({
+    encodedText: token,
+  });
+}
+
+async function keylessOnboardingCacheSet(key: string, value: string) {
+  keylessOnboardingCache.set(
+    key,
+    await backgroundApiProxy.servicePassword.encodeSensitiveText({
+      text: value,
+    }),
+  );
+}
+
+async function cacheKeylessOnboardingToken({
+  token,
+  refreshToken,
+}: {
+  token: string;
+  refreshToken?: string;
+}) {
+  await keylessOnboardingCacheSet('socialLoginToken', token);
+  if (refreshToken) {
+    await keylessOnboardingCacheSet('socialLoginRefreshToken', refreshToken);
+  }
+}
+
+async function getKeylessOnboardingToken(options?: { skipDelete?: boolean }) {
+  const token = keylessOnboardingCacheGetAndDelete('socialLoginToken', options);
+  return token;
+}
+
+async function getKeylessOnboardingRefreshToken(options?: {
+  skipDelete?: boolean;
+}) {
+  const refreshToken = keylessOnboardingCacheGetAndDelete(
+    'socialLoginRefreshToken',
+    options,
+  );
+  return refreshToken;
+}
+
+async function cacheKeylessOnboardingPin({ pin }: { pin: string }) {
+  await keylessOnboardingCacheSet('onboardingPin', pin);
+}
+
+async function getKeylessOnboardingPin(options?: { skipDelete?: boolean }) {
+  const pin = keylessOnboardingCacheGetAndDelete('onboardingPin', options);
+  return pin;
+}
+
+async function cacheKeylessOnboardingCustomMnemonic({
+  customMnemonic,
+}: {
+  customMnemonic: string;
+}) {
+  const devSettings = await devSettingsPersistAtom.get();
+  if (devSettings.enabled) {
+    await keylessOnboardingCacheSet('customMnemonic', customMnemonic);
+  }
+}
+
+async function getKeylessOnboardingCustomMnemonic(options?: {
+  skipDelete?: boolean;
+}) {
+  const devSettings = await devSettingsPersistAtom.get();
+  if (devSettings.enabled) {
+    const customMnemonic = keylessOnboardingCacheGetAndDelete(
+      'customMnemonic',
+      options,
+    );
+    return customMnemonic;
+  }
+}
+
+if (process.env.NODE_ENV !== 'production') {
+  // @ts-ignore
+  globalThis.$$keylessOnboardingCache = keylessOnboardingCache;
+}
+
 export function useKeylessWallet() {
   const methods = useKeylessWalletMethods();
   const actions = useAccountSelectorActions();
-  const { loginOneKeyId } = useOneKeyAuth();
+  const { loginOneKeyId, signInWithSocialLogin } = useOneKeyAuth();
   const isKeylessWalletCreated = useCallback(async () => {
     const user = await primePersistAtom.get();
     return !!user?.keylessWalletId;
@@ -411,10 +533,411 @@ export function useKeylessWallet() {
     ],
   );
 
+  const handleKeylessOnboardingTimeout = useCallback(() => {
+    // TODO @franco 创建无私钥钱包超时提示（安全考虑，社交账户登录后 3 分钟内未完成创建，则提示超时，需重新登录）
+    Dialog.show({
+      title: 'Keyless Wallet',
+      description:
+        'For security reasons, your keyless wallet creation session has expired. Please log in again with your social account to continue.',
+      showCancelButton: false,
+      // TODO return to OneKeyIDLoginPage
+      onConfirmText: intl.formatMessage({
+        id: ETranslations.global_got_it,
+      }),
+      onCancel: () => {
+        keylessOnboardingCache.clear();
+        navigation.popStack();
+      },
+      onClose: () => {
+        keylessOnboardingCache.clear();
+        navigation.popStack();
+      },
+      onConfirm: () => {
+        keylessOnboardingCache.clear();
+        navigation.popStack();
+      },
+    });
+    throw new OneKeyLocalError('Keyless Wallet onboarding timed out');
+  }, [intl, navigation]);
+
+  const checkKeylessWalletCreatedOnServer = useCallback(
+    async ({
+      token,
+      refreshToken,
+      mode,
+    }: {
+      token: string;
+      refreshToken?: string;
+      mode?: EOnboardingV2OneKeyIDLoginMode;
+    }) => {
+      if (!token) {
+        handleKeylessOnboardingTimeout();
+        return;
+      }
+      await cacheKeylessOnboardingToken({ token, refreshToken });
+
+      // ResetPin: skip check, go to CreatePin
+      if (mode === EOnboardingV2OneKeyIDLoginMode.KeylessResetPin) {
+        // TODO check if keyless wallet matched with ownerId
+        navigation.navigate(ERootRoutes.Onboarding, {
+          screen: EOnboardingV2Routes.OnboardingV2,
+          params: {
+            screen: EOnboardingPagesV2.CreatePin,
+            params: {
+              action: EKeylessFinalizeAction.ResetPin,
+            },
+          },
+        });
+        return;
+      }
+
+      // VerifyPinOnly: skip check, go to VerifyPin
+      if (mode === EOnboardingV2OneKeyIDLoginMode.KeylessVerifyPinOnly) {
+        // TODO check if keyless wallet matched with ownerId
+        navigation.navigate(ERootRoutes.Onboarding, {
+          screen: EOnboardingV2Routes.OnboardingV2,
+          params: {
+            screen: EOnboardingPagesV2.VerifyPin,
+            params: {
+              mode: EOnboardingV2OneKeyIDLoginMode.KeylessVerifyPinOnly,
+            },
+          },
+        });
+        return;
+      }
+
+      // Default: check wallet existence and navigate accordingly
+      const isCreated =
+        await backgroundApiProxy.serviceKeylessWallet.isKeylessWalletCreatedOnServer(
+          {
+            token,
+          },
+        );
+      if (isCreated) {
+        navigation.navigate(ERootRoutes.Onboarding, {
+          screen: EOnboardingV2Routes.OnboardingV2,
+          params: {
+            screen: EOnboardingPagesV2.VerifyPin,
+            params: {
+              mode: EOnboardingV2OneKeyIDLoginMode.KeylessCreateOrRestore,
+            },
+          },
+        });
+      } else {
+        navigation.navigate(ERootRoutes.Onboarding, {
+          screen: EOnboardingV2Routes.OnboardingV2,
+          params: {
+            screen: EOnboardingPagesV2.CreatePin,
+          },
+        });
+      }
+    },
+    [handleKeylessOnboardingTimeout, navigation],
+  );
+
+  // goToOneKeyIDLoginPageForKeylessWallet
+  const goToOneKeyIDLoginPageForKeylessWallet = useCallback(
+    async ({ mode }: { mode: EOnboardingV2OneKeyIDLoginMode }) => {
+      if (
+        mode === EOnboardingV2OneKeyIDLoginMode.KeylessResetPin ||
+        mode === EOnboardingV2OneKeyIDLoginMode.KeylessVerifyPinOnly
+      ) {
+        // Get keyless wallet to extract ownerId from keylessDetailsInfo
+        let keylessWallet;
+        try {
+          keylessWallet =
+            await backgroundApiProxy.serviceAccount.getKeylessWallet();
+        } catch (error) {
+          // Continue to navigation if getKeylessWallet fails
+        }
+        const ownerId = keylessWallet?.keylessDetailsInfo?.keylessOwnerId || '';
+
+        if (keylessWallet && ownerId) {
+          // Try to refresh session if refreshToken is valid
+          let refreshResult;
+          try {
+            refreshResult =
+              await backgroundApiProxy.serviceKeylessWallet.tryRefreshTokenFromStorage(
+                { ownerId },
+              );
+          } catch (error) {
+            // Continue to navigation if refresh fails
+          }
+
+          if (
+            refreshResult &&
+            refreshResult?.accessToken &&
+            refreshResult?.refreshToken
+          ) {
+            // Refresh successful, proceed with checkKeylessWalletCreatedOnServer
+            await checkKeylessWalletCreatedOnServer({
+              token: refreshResult.accessToken,
+              refreshToken: refreshResult.refreshToken,
+              mode,
+            });
+            return;
+          }
+        }
+      }
+
+      navigation.navigate(ERootRoutes.Onboarding, {
+        screen: EOnboardingV2Routes.OnboardingV2,
+        params: {
+          screen: EOnboardingPagesV2.OneKeyIDLogin,
+          params: {
+            mode,
+          },
+        },
+      });
+    },
+    [navigation, checkKeylessWalletCreatedOnServer],
+  );
+
+  // Renamed function, checks if KeylessWallet exists locally
+  const checkKeylessWalletLocalExistence = useCallback(
+    async ({
+      signInProvider,
+    }: {
+      signInProvider?: EOAuthSocialLoginProvider;
+    } = {}) => {
+      if (enableKeylessWalletLoadingRef.current) {
+        return;
+      }
+      await errorToastUtils.withErrorAutoToast(async () => {
+        try {
+          enableKeylessWalletLoadingRef.current = true;
+          setEnableKeylessWalletLoading(true);
+
+          const exists =
+            await backgroundApiProxy.serviceAccount.isKeylessWalletExistsLocal();
+          if (exists) {
+            Dialog.show({
+              title: 'Keyless Wallet',
+              // TODO @franco 本地已经添加无私钥钱包，如果需要使用其他无私钥钱包，请先删除当前钱包
+              description:
+                'A Keyless Wallet is already added. To use another Keyless Wallet, please delete the current one first.',
+              showCancelButton: false,
+              onConfirmText: intl.formatMessage({
+                id: ETranslations.global_got_it,
+              }),
+            });
+          } else {
+            if (signInProvider) {
+              const result = await signInWithSocialLogin(signInProvider);
+              if (result?.session?.accessToken) {
+                await checkKeylessWalletCreatedOnServer({
+                  token: result.session.accessToken,
+                  refreshToken: result.session.refreshToken,
+                  mode: EOnboardingV2OneKeyIDLoginMode.KeylessCreateOrRestore,
+                });
+              }
+              return;
+            }
+            await goToOneKeyIDLoginPageForKeylessWallet({
+              mode: EOnboardingV2OneKeyIDLoginMode.KeylessCreateOrRestore,
+            });
+          }
+        } finally {
+          setEnableKeylessWalletLoading(false);
+        }
+      });
+    },
+    [
+      checkKeylessWalletCreatedOnServer,
+      goToOneKeyIDLoginPageForKeylessWallet,
+      intl,
+      signInWithSocialLogin,
+    ],
+  );
+
+  const finalizeKeylessWalletV2 = useCallback(
+    async ({ action }: { action: EKeylessFinalizeAction }) => {
+      const token = await getKeylessOnboardingToken();
+      if (!token) {
+        handleKeylessOnboardingTimeout();
+        return;
+      }
+      const refreshToken = await getKeylessOnboardingRefreshToken();
+      const pin = await getKeylessOnboardingPin();
+      if (!pin) {
+        handleKeylessOnboardingTimeout();
+        return;
+      }
+      if (!action) {
+        Dialog.show({
+          title: 'Keyless Wallet',
+          description: 'EKeylessFinalizeAction is required',
+          showCancelButton: false,
+          onConfirmText: intl.formatMessage({
+            id: ETranslations.global_got_it,
+          }),
+        });
+        return;
+      }
+
+      // Handle ResetPin action
+      if (action === EKeylessFinalizeAction.ResetPin) {
+        await backgroundApiProxy.serviceKeylessWallet.resetKeylessWalletPin({
+          token,
+          refreshToken,
+          newPin: pin,
+        });
+        navigation.navigate(ERootRoutes.Onboarding, {
+          screen: EOnboardingV2Routes.OnboardingV2,
+          params: {
+            screen: EOnboardingPagesV2.NewPinCreated,
+          },
+        });
+        return;
+      }
+
+      let mnemonic = '';
+      let ownerId = '';
+      let keylessDetailsInfo;
+      if (action === EKeylessFinalizeAction.Create) {
+        const result =
+          await backgroundApiProxy.serviceKeylessWallet.createKeylessWalletToServer(
+            {
+              token,
+              refreshToken,
+              pin,
+              customMnemonic: await getKeylessOnboardingCustomMnemonic(),
+            },
+          );
+        mnemonic = result.mnemonic;
+        ownerId = result.ownerId;
+        keylessDetailsInfo = result.keylessDetailsInfo;
+      }
+      if (action === EKeylessFinalizeAction.Restore) {
+        const result =
+          await backgroundApiProxy.serviceKeylessWallet.restoreKeylessWalletFromServer(
+            {
+              token,
+              refreshToken,
+              pin,
+            },
+          );
+        mnemonic = result.mnemonic;
+        ownerId = result.ownerId;
+        keylessDetailsInfo = result.keylessDetailsInfo;
+      }
+      navigation.navigate(ERootRoutes.Onboarding, {
+        screen: EOnboardingV2Routes.OnboardingV2,
+        params: {
+          screen: EOnboardingPagesV2.FinalizeWalletSetup,
+          params: {
+            mnemonic,
+            isWalletBackedUp: true,
+            isKeylessWallet: true,
+            keylessOwnerId: ownerId,
+            keylessDetailsInfo,
+          },
+        },
+      });
+    },
+    [navigation, handleKeylessOnboardingTimeout, intl],
+  );
+
+  const confirmKeylessOnboardingPin = useCallback(
+    async ({
+      pin,
+      action,
+    }: {
+      pin: string;
+      action: EKeylessFinalizeAction;
+    }) => {
+      await cacheKeylessOnboardingPin({ pin });
+      const hasCachedPassword =
+        await backgroundApiProxy.servicePassword.hasCachedPassword();
+      if (hasCachedPassword) {
+        await finalizeKeylessWalletV2({ action });
+      } else {
+        navigation.navigate(ERootRoutes.Onboarding, {
+          screen: EOnboardingV2Routes.OnboardingV2,
+          params: {
+            screen: EOnboardingPagesV2.CreatePasscode,
+            params: { action },
+          },
+        });
+      }
+    },
+    [finalizeKeylessWalletV2, navigation],
+  );
+
+  const verifyKeylessOnboardingPin = useCallback(
+    async ({
+      pin,
+      mode,
+    }: {
+      pin: string;
+      mode?: EOnboardingV2OneKeyIDLoginMode;
+    }) => {
+      const token = await getKeylessOnboardingToken({ skipDelete: true });
+      if (!token) {
+        handleKeylessOnboardingTimeout();
+        return;
+      }
+      const refreshToken = await getKeylessOnboardingRefreshToken({
+        skipDelete: true,
+      });
+      await backgroundApiProxy.serviceKeylessWallet.apiVerifyKeylessJuiceboxPin(
+        {
+          token,
+          pin,
+          refreshToken,
+          mode,
+        },
+      );
+
+      // VerifyPinOnly: just verify, show success dialog and close modal
+      if (mode === EOnboardingV2OneKeyIDLoginMode.KeylessVerifyPinOnly) {
+        navigation.popStack();
+
+        Dialog.show({
+          title: 'PIN Verified',
+          description: 'PIN verified successfully',
+          showCancelButton: false,
+          onConfirmText: intl.formatMessage({
+            id: ETranslations.global_got_it,
+          }),
+          onConfirm: () => {
+            //
+          },
+        });
+        return;
+      }
+
+      // Default: continue with restore flow
+      await cacheKeylessOnboardingToken({ token, refreshToken });
+      await confirmKeylessOnboardingPin({
+        pin,
+        action: EKeylessFinalizeAction.Restore,
+      });
+    },
+    [
+      confirmKeylessOnboardingPin,
+      handleKeylessOnboardingTimeout,
+      intl,
+      navigation,
+    ],
+  );
+
   return {
     ...methods,
     // TODO handleKeylessWalletClick
     enableKeylessWallet,
     enableKeylessWalletLoading,
+    goToOneKeyIDLoginPageForKeylessWallet,
+    checkKeylessWalletLocalExistence, // step1
+    checkKeylessWalletCreatedOnServer, // step2 (handles all modes: default, ResetPin, VerifyPinOnly)
+    confirmKeylessOnboardingPin, // step3
+    verifyKeylessOnboardingPin,
+    finalizeKeylessWalletV2, // step4
+    keylessOnboardingCache,
+    cacheKeylessOnboardingPin,
+    getKeylessOnboardingPin,
+    handleKeylessOnboardingTimeout,
+    cacheKeylessOnboardingCustomMnemonic,
+    getKeylessOnboardingCustomMnemonic,
   };
 }
diff --git a/packages/kit/src/components/OneKeyAuth/OAuthPopup/OAuthPopup.desktop.tsx b/packages/kit/src/components/OneKeyAuth/OAuthPopup/OAuthPopup.desktop.tsx
new file mode 100644
index 000000000000..51e6388d5e62
--- /dev/null
+++ b/packages/kit/src/components/OneKeyAuth/OAuthPopup/OAuthPopup.desktop.tsx
@@ -0,0 +1,412 @@
+import { Dialog } from '@onekeyhq/components';
+import type { IDialogInstance } from '@onekeyhq/components';
+import type { IAppleSignInResult } from '@onekeyhq/kit-bg/src/desktopApis/DesktopApiAppleAuth';
+import {
+  MAC_DESKTOP_USE_NATIVE_APPLE_SIGNIN,
+  OAUTH_CALLBACK_DESKTOP_CHANNEL,
+  OAUTH_CALLBACK_DESKTOP_PATH,
+  OAUTH_FLOW_TIMEOUT_MS,
+} from '@onekeyhq/shared/src/consts/authConsts';
+import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
+import platformEnv from '@onekeyhq/shared/src/platformEnv';
+
+import { OAuthPopupBase } from './OAuthPopupBase';
+
+import type { IOAuthPopupOptions, IOAuthPopupResult } from './types';
+
+// ============================================================================
+// Desktop OAuth Popup Implementation
+// ============================================================================
+
+/**
+ * OAuth popup implementation for Desktop (Electron) platform.
+ *
+ * Supports two methods:
+ * - Native Apple Sign-In (macOS only): Uses ASAuthorizationController for native UI
+ * - Browser OAuth (default): Opens system browser with localhost callback
+ *
+ * Flow (Browser method):
+ * 1. Start localhost HTTP server on system-assigned port
+ * 2. Open Supabase OAuth URL in system browser
+ * 3. User completes OAuth in browser
+ * 4. Browser redirects to localhost callback with authorization code
+ * 5. Exchange code for session using Supabase PKCE
+ */
+export class OAuthPopup extends OAuthPopupBase {
+  // ============ Public API ============
+
+  /**
+   * Get OAuth redirect URL for Desktop platform.
+   *
+   * Starts localhost OAuth server and returns callback URL.
+   * Returns: http://127.0.0.1:{port}/oauth_callback_desktop
+   */
+  static override async getRedirectUrl(): Promise<string> {
+    if (
+      !platformEnv.isDesktop ||
+      !globalThis.desktopApiProxy?.oauthLocalServer
+    ) {
+      throw new OneKeyLocalError(
+        'Desktop OAuth Local Server API is not available',
+      );
+    }
+
+    let port = 0;
+    try {
+      const serverResult =
+        await globalThis.desktopApiProxy.oauthLocalServer.startServer();
+      port = serverResult.port;
+    } catch {
+      throw new OneKeyLocalError(
+        'Failed to start OAuth local server. Please try again.',
+      );
+    }
+
+    if (!port) {
+      throw new OneKeyLocalError('OAuth local server returned invalid port.');
+    }
+
+    return `http://127.0.0.1:${port}${OAUTH_CALLBACK_DESKTOP_PATH}`;
+  }
+
+  /**
+   * Open OAuth popup.
+   *
+   * Routes to the appropriate sign-in method based on provider and platform:
+   * - Apple on macOS: Uses native Apple Sign-In via DesktopApiAppleAuth (if available)
+   * - Other providers: Uses browser OAuth with localhost callback
+   */
+  static override async open(
+    options: IOAuthPopupOptions,
+  ): Promise<IOAuthPopupResult> {
+    const { provider, client } = options;
+
+    if (!client) {
+      throw new OneKeyLocalError('Supabase client is required');
+    }
+
+    // Apple Sign-In on macOS: Try native method first (if enabled)
+    if (
+      provider === 'apple' &&
+      platformEnv.isDesktopMac &&
+      MAC_DESKTOP_USE_NATIVE_APPLE_SIGNIN
+    ) {
+      try {
+        // TODO: macOS Native Apple Sign-In requirements:
+        // 1. Build native module: cd apps/desktop/native-modules/apple-auth-macos && npx node-gyp rebuild
+        // 2. Add entitlement to apps/desktop/entitlements.mac.plist and entitlements.mas.plist:
+        //    <key>com.apple.developer.applesignin</key>
+        //    <array><string>Default</string></array>
+        // 3. App must be code signed with proper provisioning profile
+        // 4. Apple Developer account must have "Sign in with Apple" capability enabled
+        // 5. Supabase Apple provider must include the app's bundle ID in "Client IDs"
+
+        return await OAuthPopup.openWithNativeAppleSignIn(options);
+      } catch (error) {
+        // If native Apple Sign-In fails due to module not available, fall back to browser
+        if (OAuthPopup.shouldFallbackToBrowser(error)) {
+          console.warn(
+            'Native Apple Sign-In not available, falling back to browser:',
+            error instanceof Error ? error.message : error,
+          );
+          // Fall through to browser method
+        } else {
+          throw error;
+        }
+      }
+    }
+
+    // Browser OAuth method
+    return OAuthPopup.openWithBrowser(options);
+  }
+
+  // ============ Private Methods - Native Apple Sign-In ============
+
+  /**
+   * Check if error indicates native Apple Sign-In is not available
+   * and we should fall back to browser.
+   */
+  private static shouldFallbackToBrowser(error: unknown): boolean {
+    if (error instanceof Error) {
+      const message = error.message.toLowerCase();
+      return (
+        message.includes('not available') ||
+        message.includes('not loaded') ||
+        message.includes('native module')
+      );
+    }
+    return false;
+  }
+
+  /**
+   * Open OAuth using native Apple Sign-In (macOS only).
+   *
+   * Uses DesktopApiAppleAuth to perform native Apple Sign-In
+   * with ASAuthorizationController (system UI, no browser).
+   */
+  private static async openWithNativeAppleSignIn(
+    options: IOAuthPopupOptions,
+  ): Promise<IOAuthPopupResult> {
+    const { client, handleSessionPersistence } = options;
+
+    if (!client) {
+      throw new OneKeyLocalError('Supabase client is required');
+    }
+
+    if (!globalThis.desktopApiProxy?.appleAuth) {
+      throw new OneKeyLocalError(
+        'Desktop Apple Auth API is not available. Native module may not be built.',
+      );
+    }
+
+    // Check if native Apple Sign-In is available
+    const appleAuth = globalThis.desktopApiProxy.appleAuth as {
+      isAvailable: () => boolean;
+      signIn: () => Promise<IAppleSignInResult>;
+    };
+
+    const isAvailable = appleAuth.isAvailable();
+    if (!isAvailable) {
+      throw new OneKeyLocalError(
+        'Native Apple Sign-In requires macOS 10.15 or later and the native module to be built.',
+      );
+    }
+
+    // Perform native Apple Sign-In
+    const result: IAppleSignInResult = await appleAuth.signIn();
+
+    if (!result.identityToken) {
+      throw new OneKeyLocalError(
+        'No identity token received from Apple Sign-In',
+      );
+    }
+
+    // Exchange Apple ID token for Supabase session
+    // The raw nonce is passed to Supabase to validate against the hashed nonce in the ID token
+    const { data, error } = await client.auth.signInWithIdToken({
+      provider: 'apple',
+      token: result.identityToken,
+      nonce: result.rawNonce,
+    });
+
+    if (error) {
+      throw new OneKeyLocalError(error.message);
+    }
+
+    if (!data.session) {
+      throw new OneKeyLocalError(
+        'Failed to exchange Apple ID token for session',
+      );
+    }
+
+    const accessToken = data.session.access_token;
+    const refreshToken = data.session.refresh_token;
+
+    // Handle session persistence
+    await handleSessionPersistence({
+      accessToken,
+      refreshToken,
+    });
+
+    return {
+      success: true,
+      session: { accessToken, refreshToken },
+    };
+  }
+
+  // ============ Private Methods - Browser OAuth ============
+
+  /**
+   * Open OAuth using localhost HTTP server and system browser.
+   */
+  private static async openWithBrowser(
+    options: IOAuthPopupOptions,
+  ): Promise<IOAuthPopupResult> {
+    const { authUrl, client, handleSessionPersistence } = options;
+
+    if (!authUrl) {
+      throw new OneKeyLocalError('OAuth URL is required');
+    }
+
+    if (!client) {
+      throw new OneKeyLocalError('Supabase client is required');
+    }
+
+    if (
+      !platformEnv.isDesktop ||
+      !globalThis.desktopApiProxy?.oauthLocalServer
+    ) {
+      throw new OneKeyLocalError(
+        'Desktop OAuth Local Server API is not available',
+      );
+    }
+
+    // Parse expected states for validation
+    const { expectedState, expectedOneKeyState } =
+      OAuthPopup.parseExpectedStates(authUrl);
+
+    return new Promise((resolve, reject) => {
+      void (async () => {
+        let settled = false;
+        let timeoutId: ReturnType<typeof setTimeout> | null = null;
+        let dialogClosed = false;
+        let waitingDialog: IDialogInstance | null = null;
+
+        // Define cleanup first to avoid "used before defined" error
+        const cleanupFn = {
+          cleanup: async () => {},
+        };
+
+        // IPC callback handler
+        const handleCallback = async (
+          _event: Electron.IpcRendererEvent,
+          data: {
+            code?: string;
+            state?: string;
+            oneKeyState?: string;
+          },
+        ) => {
+          if (settled) {
+            return;
+          }
+          settled = true;
+
+          // Remove listener
+          if (globalThis.desktopApi) {
+            globalThis.desktopApi.removeIpcEventListener(
+              OAUTH_CALLBACK_DESKTOP_CHANNEL,
+              handleCallback,
+            );
+          }
+
+          try {
+            dialogClosed = true;
+            await Promise.resolve(waitingDialog?.close());
+
+            const { code, state, oneKeyState } = data;
+
+            if (!code) {
+              await cleanupFn.cleanup();
+              reject(new OneKeyLocalError('Authorization code is missing'));
+              return;
+            }
+
+            // Validate states
+            OAuthPopup.validateOneKeyState(
+              expectedOneKeyState,
+              oneKeyState ?? null,
+            );
+            OAuthPopup.validateSupabaseState(expectedState, state ?? null);
+
+            // Exchange code for session
+            const { accessToken, refreshToken } =
+              await OAuthPopup.exchangeCodeForSession(client, code);
+
+            // Handle session persistence
+            await handleSessionPersistence({
+              accessToken,
+              refreshToken,
+            });
+
+            await cleanupFn.cleanup();
+            resolve({
+              success: true,
+              session: { accessToken, refreshToken },
+            });
+          } catch (error) {
+            await cleanupFn.cleanup();
+            reject(OAuthPopup.wrapError(error, 'OAuth failed'));
+          }
+        };
+
+        // Assign cleanup implementation
+        cleanupFn.cleanup = async () => {
+          if (timeoutId) {
+            clearTimeout(timeoutId);
+            timeoutId = null;
+          }
+          if (globalThis.desktopApi) {
+            globalThis.desktopApi.removeIpcEventListener(
+              OAUTH_CALLBACK_DESKTOP_CHANNEL,
+              handleCallback,
+            );
+          }
+          try {
+            await globalThis.desktopApiProxy.oauthLocalServer.stopServer();
+          } catch {
+            // Ignore stop errors
+          }
+          try {
+            if (!dialogClosed) {
+              await Promise.resolve(waitingDialog?.close());
+            }
+          } catch {
+            // Ignore close errors
+          }
+        };
+
+        try {
+          // Show waiting dialog
+          waitingDialog = Dialog.show({
+            title: 'Sign in',
+            description:
+              'Complete sign-in in your browser, then return to OneKey.',
+            showFooter: true,
+            showConfirmButton: false,
+            showCancelButton: true,
+            onCancel: async (close) => {
+              if (settled) {
+                await close();
+                return;
+              }
+              settled = true;
+              dialogClosed = true;
+              await close();
+              await cleanupFn.cleanup();
+              reject(new OneKeyLocalError('OAuth sign-in was cancelled'));
+            },
+            onClose: async (extra) => {
+              if (extra?.flag === 'cancel' && !settled) {
+                settled = true;
+                dialogClosed = true;
+                await cleanupFn.cleanup();
+                reject(new OneKeyLocalError('OAuth sign-in was cancelled'));
+              }
+            },
+          });
+
+          // Add IPC listener
+          if (globalThis.desktopApi) {
+            globalThis.desktopApi.addIpcEventListener(
+              OAUTH_CALLBACK_DESKTOP_CHANNEL,
+              handleCallback,
+            );
+          }
+
+          // Open OAuth URL in system browser
+          await globalThis.desktopApiProxy.oauthLocalServer.openBrowser(
+            authUrl,
+          );
+
+          // Setup timeout
+          timeoutId = setTimeout(() => {
+            if (settled) {
+              return;
+            }
+            settled = true;
+            void cleanupFn.cleanup().finally(() => {
+              reject(new OneKeyLocalError('OAuth sign-in timed out'));
+            });
+          }, OAUTH_FLOW_TIMEOUT_MS);
+        } catch (error) {
+          Dialog.debugMessage({
+            title: 'OAuth',
+            debugMessage:
+              error instanceof Error ? error.message : 'OAuth setup failed',
+          });
+          reject(OAuthPopup.wrapError(error, 'OAuth setup failed'));
+        }
+      })();
+    });
+  }
+}
diff --git a/packages/kit/src/components/OneKeyAuth/OAuthPopup/OAuthPopup.ext.tsx b/packages/kit/src/components/OneKeyAuth/OAuthPopup/OAuthPopup.ext.tsx
new file mode 100644
index 000000000000..8779970deaf4
--- /dev/null
+++ b/packages/kit/src/components/OneKeyAuth/OAuthPopup/OAuthPopup.ext.tsx
@@ -0,0 +1,411 @@
+/* eslint-disable spellcheck/spell-checker */
+import {
+  EXTENSION_OAUTH_USE_PKCE_FLOW,
+  GOOGLE_OAUTH_AUTHORIZE_URL,
+  GOOGLE_OAUTH_CLIENT_IDS,
+  GOOGLE_OAUTH_DEFAULT_SCOPES,
+  OAUTH_FLOW_TIMEOUT_MS,
+  OAUTH_POLL_INTERVAL_MS,
+  OAUTH_POPUP_HEIGHT,
+  OAUTH_POPUP_WIDTH,
+  OAUTH_TOKEN_KEY_ID_TOKEN,
+  ONEKEY_OAUTH_STATE_KEY,
+} from '@onekeyhq/shared/src/consts/authConsts';
+import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
+
+import { OAuthPopupBase } from './OAuthPopupBase';
+
+import type { IOAuthPopupOptions, IOAuthPopupResult } from './types';
+import type { SupabaseClient } from '@supabase/supabase-js';
+
+// ============================================================================
+// Internal Types
+// ============================================================================
+
+interface IExtensionOAuthFlowSignInParams {
+  rawNonce?: string;
+  expectedState?: string;
+  expectedOneKeyState?: string;
+}
+
+interface IExtensionOAuthFlowGetAuthUrlResult {
+  authUrl: string;
+  signInParams: IExtensionOAuthFlowSignInParams;
+}
+
+interface IExtensionOAuthFlowSignInInput {
+  callbackUrl: string;
+  signInParams: IExtensionOAuthFlowSignInParams;
+}
+
+interface IExtensionOAuthFlowBuilder {
+  getAuthUrl: () => Promise<IExtensionOAuthFlowGetAuthUrlResult>;
+  signIn: (input: IExtensionOAuthFlowSignInInput) => Promise<IOAuthPopupResult>;
+}
+
+// ============================================================================
+// Extension OAuth Popup Implementation
+// ============================================================================
+
+/**
+ * OAuth popup implementation for Chrome Extension platform.
+ *
+ * Uses chrome.identity.launchWebAuthFlow for OAuth authentication.
+ * Supports two flows:
+ * - PKCE flow: Supabase OAuth URL + exchangeCodeForSession
+ * - OIDC flow: Google id_token + signInWithIdToken
+ */
+export class OAuthPopup extends OAuthPopupBase {
+  // ============ Public API ============
+
+  /**
+   * Get OAuth redirect URL for Chrome Extension.
+   *
+   * Returns: https://<extension-id>.chromiumapp.org
+   */
+  static override getRedirectUrl(): Promise<string> {
+    let redirectUrl = chrome.identity.getRedirectURL();
+    // Remove trailing slash to match Google Cloud Console configuration
+    if (redirectUrl.endsWith('/')) {
+      redirectUrl = redirectUrl.slice(0, -1);
+    }
+    return Promise.resolve(redirectUrl);
+  }
+
+  /**
+   * Open OAuth using chrome.identity.launchWebAuthFlow.
+   *
+   * Internally selects PKCE or OIDC flow based on EXTENSION_OAUTH_USE_PKCE_FLOW config.
+   */
+  static override async open(
+    options: IOAuthPopupOptions,
+  ): Promise<IOAuthPopupResult> {
+    const { client, handleSessionPersistence, authUrl, redirectTo } = options;
+
+    if (!chrome.identity) {
+      throw new OneKeyLocalError(
+        'chrome.identity API is not available. ' +
+          'Make sure you are running in a Chrome Extension context (not content script) ' +
+          'and the "identity" permission is added to manifest.json.',
+      );
+    }
+
+    if (!redirectTo) {
+      throw new OneKeyLocalError(
+        'redirectTo is required. Call OAuthPopup.getRedirectUrl() first.',
+      );
+    }
+
+    const redirectUrl = redirectTo;
+
+    // Build flow params based on config
+    const flowBuilder = EXTENSION_OAUTH_USE_PKCE_FLOW
+      ? OAuthPopup.buildPkceFlowParams(redirectUrl, client, authUrl)
+      : OAuthPopup.buildOidcFlowParams(redirectUrl, client);
+
+    // Setup window focus listener
+    const cleanupFocus = OAuthPopup.setupWindowFocusListener();
+
+    try {
+      const { authUrl: oauthUrl, signInParams } =
+        await flowBuilder.getAuthUrl();
+      const callbackUrl = await OAuthPopup.launchWebAuthFlowWithTimeout(
+        oauthUrl,
+      );
+
+      if (!callbackUrl) {
+        throw new OneKeyLocalError(
+          'OAuth authentication failed: callback URL is missing',
+        );
+      }
+
+      const result = await flowBuilder.signIn({ callbackUrl, signInParams });
+
+      // Handle session persistence
+      if (result.success && result.session) {
+        await handleSessionPersistence({
+          accessToken: result.session.accessToken,
+          refreshToken: result.session.refreshToken,
+        });
+      }
+
+      return result;
+    } catch (error) {
+      if (OAuthPopup.isUserCancelledError(error)) {
+        throw new OneKeyLocalError('OAuth sign-in was cancelled');
+      }
+      throw OAuthPopup.wrapError(error, 'Extension OAuth failed');
+    } finally {
+      try {
+        cleanupFocus();
+      } catch {
+        // Ignore cleanup errors
+      }
+    }
+  }
+
+  // ============ Private Methods ============
+
+  /**
+   * Launch chrome.identity.launchWebAuthFlow with timeout.
+   */
+  private static async launchWebAuthFlowWithTimeout(
+    url: string,
+  ): Promise<string | undefined> {
+    let timeoutId: ReturnType<typeof setTimeout> | null = null;
+
+    try {
+      return await Promise.race([
+        chrome.identity.launchWebAuthFlow({
+          url,
+          interactive: true,
+        }),
+        new Promise<never>((_, reject) => {
+          timeoutId = setTimeout(() => {
+            reject(new OneKeyLocalError('OAuth sign-in timed out'));
+          }, OAUTH_FLOW_TIMEOUT_MS);
+        }),
+      ]);
+    } finally {
+      if (timeoutId) {
+        clearTimeout(timeoutId);
+      }
+    }
+  }
+
+  /**
+   * Build PKCE flow params (Supabase OAuth + exchangeCodeForSession).
+   */
+  private static buildPkceFlowParams(
+    redirectUrl: string,
+    client: SupabaseClient | undefined,
+    externalAuthUrl: string | undefined,
+  ): IExtensionOAuthFlowBuilder {
+    return {
+      getAuthUrl: async () => {
+        if (!externalAuthUrl) {
+          throw new OneKeyLocalError('Failed to create Supabase OAuth URL.');
+        }
+
+        const { expectedState, expectedOneKeyState } =
+          OAuthPopup.parseExpectedStates(externalAuthUrl);
+
+        return {
+          authUrl: externalAuthUrl,
+          signInParams: {
+            expectedState: expectedState ?? undefined,
+            expectedOneKeyState: expectedOneKeyState ?? undefined,
+          },
+        };
+      },
+
+      signIn: async ({ callbackUrl, signInParams }) => {
+        if (!client) {
+          throw new OneKeyLocalError(
+            'Supabase client is required for PKCE flow',
+          );
+        }
+
+        const url = new URL(callbackUrl);
+        const expectedUrl = new URL(redirectUrl);
+
+        // Extract onekey_oauth_state from both URLs for comparison
+        const oneKeyState = url.searchParams.get(ONEKEY_OAUTH_STATE_KEY);
+        const expectedOneKeyState = expectedUrl.searchParams.get(
+          ONEKEY_OAUTH_STATE_KEY,
+        );
+
+        // Compare origin, pathname, and onekey_oauth_state
+        // Query params order may differ, so we compare them separately
+        if (
+          url.origin !== expectedUrl.origin ||
+          url.pathname !== expectedUrl.pathname ||
+          oneKeyState !== expectedOneKeyState
+        ) {
+          throw new OneKeyLocalError(
+            'OAuth callback URL does not match expected redirect URL',
+          );
+        }
+
+        const error =
+          url.searchParams.get('error') ||
+          url.searchParams.get('error_description');
+        if (error) {
+          throw new OneKeyLocalError(error);
+        }
+
+        const code = url.searchParams.get('code');
+        const state = url.searchParams.get('state');
+
+        if (!code) {
+          throw new OneKeyLocalError('Authorization code is missing');
+        }
+
+        // Validate states
+        OAuthPopup.validateOneKeyState(
+          signInParams.expectedOneKeyState ?? null,
+          oneKeyState,
+        );
+        OAuthPopup.validateSupabaseState(
+          signInParams.expectedState ?? null,
+          state,
+        );
+
+        // Exchange code for session
+        const { accessToken, refreshToken } =
+          await OAuthPopup.exchangeCodeForSession(client, code);
+
+        return {
+          success: true,
+          session: { accessToken, refreshToken },
+        };
+      },
+    };
+  }
+
+  /**
+   * Build OIDC flow params (Google id_token + signInWithIdToken).
+   */
+  private static buildOidcFlowParams(
+    redirectUrl: string,
+    client: SupabaseClient | undefined,
+  ): IExtensionOAuthFlowBuilder {
+    const scopes = GOOGLE_OAUTH_DEFAULT_SCOPES;
+
+    return {
+      getAuthUrl: async () => {
+        // Build Google OAuth URL manually with response_type=id_token
+        const authUrl = new URL(GOOGLE_OAUTH_AUTHORIZE_URL);
+
+        authUrl.searchParams.set(
+          'client_id',
+          GOOGLE_OAUTH_CLIENT_IDS.EXTENSION,
+        );
+        authUrl.searchParams.set('response_type', 'id_token');
+        authUrl.searchParams.set('access_type', 'offline');
+        authUrl.searchParams.set('redirect_uri', redirectUrl);
+        authUrl.searchParams.set('scope', scopes.join(' '));
+
+        // Generate and hash nonce
+        const rawNonce = crypto.randomUUID();
+        const encoder = new TextEncoder();
+        const nonceData = encoder.encode(rawNonce);
+        const hashBuffer = await crypto.subtle.digest('SHA-256', nonceData);
+        const hashArray = Array.from(new Uint8Array(hashBuffer));
+        const hashedNonce = hashArray
+          .map((b) => b.toString(16).padStart(2, '0'))
+          .join('');
+
+        authUrl.searchParams.set('nonce', hashedNonce);
+        authUrl.searchParams.set('prompt', 'select_account');
+
+        return {
+          authUrl: authUrl.href,
+          signInParams: { rawNonce },
+        };
+      },
+
+      signIn: async ({ callbackUrl, signInParams }) => {
+        if (!client) {
+          throw new OneKeyLocalError(
+            'Supabase client is required for OIDC flow',
+          );
+        }
+
+        const { rawNonce } = signInParams;
+        if (!rawNonce) {
+          throw new OneKeyLocalError('Missing nonce for Google OAuth sign-in.');
+        }
+
+        // Parse id_token from callback URL hash
+        const url = new URL(callbackUrl);
+        const hashParams = new URLSearchParams(url.hash.substring(1));
+        const idToken = hashParams.get(OAUTH_TOKEN_KEY_ID_TOKEN);
+
+        if (!idToken) {
+          throw new OneKeyLocalError('No ID token received from Google OAuth');
+        }
+
+        // Exchange ID token for Supabase session
+        const { data, error } = await client.auth.signInWithIdToken({
+          provider: 'google',
+          token: idToken,
+          nonce: rawNonce,
+        });
+
+        if (error) {
+          throw new OneKeyLocalError(error.message);
+        }
+
+        if (!data.session) {
+          throw new OneKeyLocalError('Failed to exchange ID token for session');
+        }
+
+        return {
+          success: true,
+          session: {
+            accessToken: data.session.access_token,
+            refreshToken: data.session.refresh_token,
+          },
+        };
+      },
+    };
+  }
+
+  /**
+   * Setup window focus listener for OAuth popup.
+   * Returns cleanup function.
+   */
+  private static setupWindowFocusListener(): () => void {
+    const width = OAUTH_POPUP_WIDTH;
+    const height = OAUTH_POPUP_HEIGHT;
+    const left = Math.round((globalThis.screen?.width || 1920) / 2 - width / 2);
+    const top = Math.round(
+      (globalThis.screen?.height || 1080) / 2 - height / 2,
+    );
+
+    let focusInterval: ReturnType<typeof setInterval> | null = null;
+    let oauthWindowId: number | null = null;
+
+    const windowUpdateListener = (window: chrome.windows.Window) => {
+      if (window.type === 'popup' && window.id) {
+        oauthWindowId = window.id;
+
+        // Try to update window size and position
+        chrome.windows
+          .update(window.id, {
+            width,
+            height,
+            left,
+            top,
+            focused: true,
+          })
+          .catch(() => {
+            // Chrome may not allow updating OAuth windows
+          });
+
+        // Set up focus polling
+        focusInterval = setInterval(() => {
+          if (oauthWindowId !== null) {
+            chrome.windows
+              .update(oauthWindowId, { focused: true })
+              .catch(() => {
+                // Ignore focus errors
+              });
+          }
+        }, OAUTH_POLL_INTERVAL_MS);
+
+        chrome.windows.onCreated.removeListener(windowUpdateListener);
+      }
+    };
+
+    chrome.windows.onCreated.addListener(windowUpdateListener);
+
+    return () => {
+      chrome.windows.onCreated.removeListener(windowUpdateListener);
+      if (focusInterval !== null) {
+        clearInterval(focusInterval);
+      }
+    };
+  }
+}
diff --git a/packages/kit/src/components/OneKeyAuth/OAuthPopup/OAuthPopup.native.tsx b/packages/kit/src/components/OneKeyAuth/OAuthPopup/OAuthPopup.native.tsx
new file mode 100644
index 000000000000..090d02d1101e
--- /dev/null
+++ b/packages/kit/src/components/OneKeyAuth/OAuthPopup/OAuthPopup.native.tsx
@@ -0,0 +1,675 @@
+/* eslint-disable @typescript-eslint/no-unused-vars */
+/* eslint-disable spellcheck/spell-checker */
+import * as AppleAuthentication from 'expo-apple-authentication';
+import * as Crypto from 'expo-crypto';
+import * as WebBrowser from 'expo-web-browser';
+
+import { Dialog } from '@onekeyhq/components';
+import {
+  APPLE_SIGNIN_USE_NONCE,
+  DEFAULT_NATIVE_OAUTH_METHOD,
+  ENativeOAuthMethod,
+  OAUTH_CALLBACK_NATIVE_PATH,
+  ONEKEY_OAUTH_STATE_KEY,
+} from '@onekeyhq/shared/src/consts/authConsts';
+import {
+  ONEKEY_APP_DEEP_LINK,
+  WalletConnectUniversalLinkFull,
+} from '@onekeyhq/shared/src/consts/deeplinkConsts';
+import {
+  GoogleSignInConfigure,
+  GoogleSignInConfigureIOS,
+} from '@onekeyhq/shared/src/consts/googleSignConsts';
+import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
+import platformEnv from '@onekeyhq/shared/src/platformEnv';
+
+import { OAuthPopupBase } from './OAuthPopupBase';
+
+import type { IOAuthPopupOptions, IOAuthPopupResult } from './types';
+import type { GoogleSignin as GoogleSigninType } from '@react-native-google-signin/google-signin';
+
+// Lazy load GoogleSignin to avoid crash if native module is not available
+async function getGoogleSignin(): Promise<typeof GoogleSigninType> {
+  try {
+    const module = await import('@react-native-google-signin/google-signin');
+    return module.GoogleSignin;
+  } catch (error) {
+    throw new OneKeyLocalError(
+      'Google Sign-In is not available. Please use web browser authentication.',
+    );
+  }
+}
+
+// ============================================================================
+// Native OAuth Popup Implementation
+// ============================================================================
+
+/**
+ * OAuth popup implementation for native platforms (iOS/Android).
+ *
+ * Supports two methods:
+ * - GOOGLE_SIGNIN (default): Uses @react-native-google-signin for native Google Sign-In
+ * - WEB_BROWSER (fallback): Uses expo-web-browser for in-app browser OAuth
+ *
+ * The GOOGLE_SIGNIN method provides better UX with native UI and is recommended
+ * per Supabase documentation for React Native:
+ * https://supabase.com/docs/guides/auth/social-login/auth-google?platform=react-native
+ */
+export class OAuthPopup extends OAuthPopupBase {
+  // ============ Public API ============
+
+  /**
+   * Get OAuth redirect URL for native platforms.
+   *
+   * Note: This is only used for WEB_BROWSER method.
+   * GOOGLE_SIGNIN method doesn't need a redirect URL.
+   *
+   * IMPORTANT: Arbitrary HTTPS URLs (e.g., https://oauth-callback.onekey.so/...)
+   * will NOT work as callback URLs on native platforms.
+   *
+   * - iOS uses ASWebAuthenticationSession which only recognizes:
+   *   1. Custom URL Schemes (e.g., onekey-wallet://...)
+   *   2. Universal Links (requires apple-app-site-association on server)
+   *
+   * - Android uses Chrome Custom Tabs + Linking API which only catches:
+   *   1. Custom URL Schemes (e.g., onekey-wallet://...)
+   *   2. Android App Links (requires assetlinks.json on server)
+   *
+   * Using an arbitrary HTTPS URL will cause the browser to navigate to that URL
+   * instead of returning control to the app. The user would have to manually
+   * close the browser, resulting in a "cancel" error.
+   */
+  static override getRedirectUrl(): Promise<string> {
+    // ❌ Does NOT work - arbitrary HTTPS URL, not recognized by native platforms
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    const callbackUrl = `https://oauth-callback.onekey.so/${OAUTH_CALLBACK_NATIVE_PATH}`;
+
+    // ✅ Works - Custom URL Scheme registered in app
+    const callbackUrlDeepLink = `${ONEKEY_APP_DEEP_LINK}${OAUTH_CALLBACK_NATIVE_PATH}`;
+
+    // ✅ Works - Universal Link (if properly configured with apple-app-site-association)
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    const callbackUrlUniversalLink = `${WalletConnectUniversalLinkFull}${OAUTH_CALLBACK_NATIVE_PATH}`;
+
+    return Promise.resolve(callbackUrlDeepLink);
+  }
+
+  /**
+   * Open OAuth and return result.
+   *
+   * Routes to the appropriate sign-in method based on provider and platform:
+   * - Apple on iOS: Uses native Apple Sign-In via expo-apple-authentication
+   * - Apple on Android: Uses WebBrowser method (Apple Sign-In via web OAuth)
+   * - Google: Uses @react-native-google-signin for native Google Sign-In
+   * - Fallback: Uses expo-web-browser for in-app browser OAuth
+   */
+  static override async open(
+    options: IOAuthPopupOptions,
+  ): Promise<IOAuthPopupResult> {
+    const { provider } = options;
+    const method = DEFAULT_NATIVE_OAUTH_METHOD;
+    if (method === ENativeOAuthMethod.WEB_BROWSER) {
+      // Use WebBrowser method
+      return OAuthPopup.openWithWebBrowser(options);
+    }
+
+    // Apple Sign-In: Use native on iOS, WebBrowser on Android
+    // Supabase Apple provider Client IDs must include: so.onekey.wallet (iOS Bundle ID)
+    if (provider === 'apple') {
+      if (platformEnv.isNativeIOS) {
+        try {
+          return await OAuthPopup.openWithAppleSignin(options);
+        } catch (error) {
+          // If Apple Sign-In fails due to setup issues, fall back to WebBrowser
+          if (OAuthPopup.shouldFallbackToWebBrowserForApple(error)) {
+            console.warn(
+              'Apple Sign-In not available, falling back to WebBrowser:',
+              error instanceof Error ? error.message : error,
+            );
+            return OAuthPopup.openWithWebBrowser(options);
+          }
+          throw error;
+        }
+      }
+      // Android: Use WebBrowser for Apple Sign-In
+      return OAuthPopup.openWithWebBrowser(options);
+    }
+
+    // Google Sign-In: Try native GoogleSignin first (default)
+    if (provider === 'google') {
+      try {
+        return await OAuthPopup.openWithGoogleSignin(options);
+      } catch (error) {
+        // If GoogleSignin fails due to setup issues, fall back to WebBrowser
+        if (OAuthPopup.shouldFallbackToWebBrowser(error)) {
+          console.warn(
+            'GoogleSignin not available, falling back to WebBrowser:',
+            error instanceof Error ? error.message : error,
+          );
+          return OAuthPopup.openWithWebBrowser(options);
+        }
+        throw error;
+      }
+    }
+
+    throw new OneKeyLocalError(
+      `Unsupported provider: ${provider || 'unknown'}`,
+    );
+  }
+
+  // ============ Private Methods - Shared ============
+
+  /**
+   * Generate a random nonce and its SHA-256 hash.
+   * The hash is passed to OAuth provider, and the raw nonce to Supabase.
+   * This is required for ID token validation.
+   */
+  private static async generateNonce({
+    options,
+  }: {
+    options: IOAuthPopupOptions;
+  }): Promise<{
+    rawNonce: string | undefined;
+    hashedNonce: string | undefined;
+  }> {
+    const rawNonce = Crypto.randomUUID();
+    const hashedNonce = await Crypto.digestStringAsync(
+      Crypto.CryptoDigestAlgorithm.SHA256,
+      rawNonce,
+    );
+    if (platformEnv.isNativeIOS && options.provider === 'google') {
+      return { rawNonce: undefined, hashedNonce: undefined };
+    }
+    return { rawNonce, hashedNonce };
+  }
+
+  // ============ Private Methods - GoogleSignin ============
+
+  /**
+   * Check if error indicates GoogleSignin is not properly configured
+   * and we should fall back to WebBrowser.
+   */
+  private static shouldFallbackToWebBrowser(error: unknown): boolean {
+    if (error instanceof Error) {
+      const message = error.message.toLowerCase();
+      // Common GoogleSignin setup errors that indicate fallback is needed
+      return (
+        message.includes('developer_error') ||
+        message.includes('sign_in_required') ||
+        message.includes('play services') ||
+        message.includes('not configured') ||
+        message.includes('google sign in not available')
+      );
+    }
+    return false;
+  }
+
+  // ============ Private Methods - Apple Sign-In ============
+
+  /**
+   * Check if error indicates Apple Sign-In is not properly configured
+   * and we should fall back to WebBrowser.
+   */
+  private static shouldFallbackToWebBrowserForApple(error: unknown): boolean {
+    if (error instanceof Error) {
+      const message = error.message.toLowerCase();
+      // Common Apple Sign-In setup errors that indicate fallback is needed
+      return (
+        message.includes('not available') ||
+        message.includes('not configured') ||
+        message.includes('capability') ||
+        message.includes('entitlement')
+      );
+    }
+    return false;
+  }
+
+  /**
+   * Open OAuth using expo-apple-authentication (iOS only).
+   *
+   * Flow:
+   * 1. Check if Apple Sign-In is available on this device
+   * 2. Call Apple Sign-In with requested scopes
+   * 3. Get Apple ID token from result
+   * 4. Exchange ID token for Supabase session using signInWithIdToken
+   * 5. Handle session persistence
+   *
+   * Reference: https://supabase.com/docs/guides/auth/social-login/auth-apple
+   */
+  private static async openWithAppleSignin(
+    options: IOAuthPopupOptions,
+  ): Promise<IOAuthPopupResult> {
+    const { client, handleSessionPersistence } = options;
+
+    if (!client) {
+      throw new OneKeyLocalError('Supabase client is required');
+    }
+
+    // Check if Apple Sign-In is available on this device
+    const isAvailable = await AppleAuthentication.isAvailableAsync();
+    if (!isAvailable) {
+      throw new OneKeyLocalError(
+        'Apple Sign-In is not available on this device. ' +
+          'Make sure you are running iOS 13+ and have Sign in with Apple capability enabled.',
+      );
+    }
+
+    try {
+      // Generate nonce for security validation if enabled
+      // The hashed nonce is passed to Apple, raw nonce is passed to Supabase
+      // Reference: https://developer.apple.com/documentation/authenticationservices/asauthorizationopenidrequest/nonce
+      let rawNonce: string | undefined;
+      let hashedNonce: string | undefined;
+
+      if (APPLE_SIGNIN_USE_NONCE) {
+        const nonceResult = await OAuthPopup.generateNonce({ options });
+        rawNonce = nonceResult.rawNonce;
+        hashedNonce = nonceResult.hashedNonce;
+      }
+
+      // Perform Apple Sign-In with optional nonce
+      const credential = await OAuthPopup.performAppleSignIn(hashedNonce);
+
+      // Get the identity token (JWT) from Apple
+      const idToken = credential.identityToken;
+
+      if (!idToken) {
+        throw new OneKeyLocalError(
+          'No identity token received from Apple Sign-In. ' +
+            'Make sure Sign in with Apple is properly configured.',
+        );
+      }
+
+      // Exchange Apple ID token for Supabase session
+      // Reference: https://supabase.com/docs/guides/auth/social-login/auth-apple?platform=react-native
+      // The raw nonce is passed to Supabase to validate against the hashed nonce in the ID token
+      const { data, error } = await client.auth.signInWithIdToken({
+        provider: 'apple',
+        token: idToken,
+        ...(rawNonce && { nonce: rawNonce }),
+      });
+
+      if (error) {
+        throw new OneKeyLocalError(error.message);
+      }
+
+      if (!data.session) {
+        throw new OneKeyLocalError(
+          'Failed to exchange Apple ID token for session',
+        );
+      }
+
+      const accessToken = data.session.access_token;
+      const refreshToken = data.session.refresh_token;
+
+      // Handle session persistence
+      await handleSessionPersistence({
+        accessToken,
+        refreshToken,
+      });
+
+      return {
+        success: true,
+        session: { accessToken, refreshToken },
+      };
+    } catch (error) {
+      // Handle specific Apple Sign-In errors
+      if (OAuthPopup.isAppleUserCancelledError(error)) {
+        throw new OneKeyLocalError('OAuth sign-in was cancelled');
+      }
+
+      throw error;
+      // Provide more helpful error messages for common Apple Sign-In issues
+      // const wrappedError = OAuthPopup.wrapAppleSignInError(error);
+      // throw wrappedError;
+    }
+  }
+
+  /**
+   * Perform the actual Apple Sign-In request.
+   * Optionally uses nonce for replay attack protection when APPLE_SIGNIN_USE_NONCE is enabled.
+   * Reference: https://developer.apple.com/documentation/authenticationservices/asauthorizationopenidrequest/nonce
+   */
+  private static async performAppleSignIn(
+    hashedNonce?: string,
+  ): Promise<AppleAuthentication.AppleAuthenticationCredential> {
+    const credential = await AppleAuthentication.signInAsync({
+      requestedScopes: [
+        AppleAuthentication.AppleAuthenticationScope.FULL_NAME,
+        AppleAuthentication.AppleAuthenticationScope.EMAIL,
+      ],
+      ...(hashedNonce && { nonce: hashedNonce }),
+    });
+    return credential;
+  }
+
+  /**
+   * Check if error indicates user cancelled Apple Sign-In.
+   */
+  private static isAppleUserCancelledError(error: unknown): boolean {
+    // expo-apple-authentication throws an error with code 'ERR_CANCELED' when user cancels
+    if (error instanceof Error) {
+      const errorWithCode = error as Error & { code?: string };
+      if (errorWithCode.code === 'ERR_REQUEST_CANCELED') {
+        return true;
+      }
+      if (errorWithCode.code === 'ERR_CANCELED') {
+        return true;
+      }
+      // Also check message for cancellation indicators
+      const message = error.message.toLowerCase();
+      return (
+        message.includes('cancelled') ||
+        message.includes('canceled') ||
+        message.includes('user canceled')
+      );
+    }
+    return false;
+  }
+
+  /**
+   * Wrap Apple Sign-In errors with more helpful messages.
+   */
+  private static wrapAppleSignInError(error: unknown): Error {
+    if (error instanceof OneKeyLocalError) {
+      return error;
+    }
+
+    if (error instanceof Error) {
+      const errorWithCode = error as Error & { code?: string };
+      const code = errorWithCode.code || '';
+      const message = error.message.toLowerCase();
+
+      // Handle specific Apple error cases
+      // "The authorization attempt failed for an unknown reason" - generic Apple error
+      if (
+        message.includes('authorization attempt failed') ||
+        message.includes('unknown reason')
+      ) {
+        return new OneKeyLocalError(
+          'Apple Sign-In failed. Please ensure:\n' +
+            '1. You are signed in to iCloud on this device\n' +
+            '2. Sign in with Apple is enabled in Settings > Apple ID > Sign-In & Security\n' +
+            '3. You are not running on a simulator without Apple ID configured',
+        );
+      }
+
+      // ERR_REQUEST_FAILED - generic request failure
+      if (code === 'ERR_REQUEST_FAILED') {
+        return new OneKeyLocalError(
+          'Apple Sign-In request failed. Please check your network connection and try again.',
+        );
+      }
+
+      // ERR_INVALID_RESPONSE - invalid response from Apple
+      if (code === 'ERR_INVALID_RESPONSE') {
+        return new OneKeyLocalError(
+          'Invalid response from Apple Sign-In. Please try again.',
+        );
+      }
+
+      // ERR_REQUEST_NOT_HANDLED - not properly configured
+      if (code === 'ERR_REQUEST_NOT_HANDLED') {
+        return new OneKeyLocalError(
+          'Apple Sign-In is not properly configured. ' +
+            'Please ensure Sign in with Apple capability is enabled.',
+        );
+      }
+
+      // Default: return the original error message
+      return new OneKeyLocalError(`Apple Sign-In failed: ${error.message}`);
+    }
+
+    return new OneKeyLocalError('Apple Sign-In failed for an unknown reason');
+  }
+
+  /**
+   * Configure GoogleSignin with the provided options.
+   * Returns the GoogleSignin instance for further use.
+   */
+  private static async configureGoogleSignin(): Promise<
+    typeof GoogleSigninType
+  > {
+    const GoogleSignin = await getGoogleSignin();
+
+    const configOptions = platformEnv.isNativeIOS
+      ? GoogleSignInConfigureIOS
+      : GoogleSignInConfigure;
+
+    GoogleSignin.configure(configOptions);
+    return GoogleSignin;
+  }
+
+  /**
+   * Open OAuth using @react-native-google-signin/google-signin.
+   *
+   * Flow:
+   * 1. Configure GoogleSignin with client IDs
+   * 2. Call GoogleSignin.signIn() for native Google Sign-In UI
+   * 3. Get Google ID token from result
+   * 4. Exchange ID token for Supabase session using signInWithIdToken
+   * 5. Handle session persistence
+   */
+  private static async openWithGoogleSignin(
+    options: IOAuthPopupOptions,
+  ): Promise<IOAuthPopupResult> {
+    const { client, handleSessionPersistence } = options;
+
+    if (!client) {
+      throw new OneKeyLocalError('Supabase client is required');
+    }
+
+    // Configure GoogleSignin (lazy loaded)
+    const GoogleSignin = await OAuthPopup.configureGoogleSignin();
+
+    // Generate nonce for security validation (required for iOS)
+    // The hashed nonce is passed to Google, raw nonce is passed to Supabase
+    const { rawNonce, hashedNonce } = await OAuthPopup.generateNonce({
+      options,
+    });
+
+    try {
+      // Check if Google Play Services is available (Android only)
+      if (platformEnv.isNativeAndroid) {
+        await GoogleSignin.hasPlayServices({
+          showPlayServicesUpdateDialog: true,
+        });
+      }
+
+      // Perform Google Sign-In with hashed nonce
+      // The signIn() method returns different types based on library version:
+      // - v9+: SignInResponse with { type: 'success' | 'cancelled', data?: User }
+      // - older: User directly
+      // We handle both cases for compatibility
+      // Note: nonce is supported by the native SDK but not typed in current library version
+      const signInResult = await GoogleSignin.signIn({
+        nonce: hashedNonce,
+      } as Parameters<typeof GoogleSignin.signIn>[0]);
+
+      // Extract idToken - handle both v9+ and older API
+      // v9+: signInResult may have .type and .data properties
+      // older: signInResult has .idToken directly
+      let idToken: string | null = null;
+
+      // Type guard for v9+ API response
+      const resultWithType = signInResult as {
+        type?: string;
+        data?: { idToken?: string | null };
+        idToken?: string | null;
+      };
+
+      if (resultWithType.type === 'cancelled') {
+        throw new OneKeyLocalError('OAuth sign-in was cancelled');
+      }
+
+      if (resultWithType.data?.idToken) {
+        // v9+ API: { type: 'success', data: { idToken: '...' } }
+        idToken = resultWithType.data.idToken;
+      } else if (resultWithType.idToken) {
+        // Older API: { idToken: '...' }
+        idToken = resultWithType.idToken;
+      }
+
+      if (!idToken) {
+        throw new OneKeyLocalError(
+          'No ID token received from Google Sign-In. ' +
+            'Make sure webClientId is configured correctly.',
+        );
+      }
+
+      // Exchange Google ID token for Supabase session
+      // Per Supabase docs: https://supabase.com/docs/guides/auth/social-login/auth-google
+      // The raw nonce must be passed to Supabase to validate against the hashed nonce in the ID token
+      const { data, error } = await client.auth.signInWithIdToken({
+        provider: 'google',
+        token: idToken,
+        // check generateNonce() function
+        // if rawNonce=undefined:
+        //     Passed nonce and nonce in id_token should either both exist or not.
+        // if rawNonce exists:
+        //     Nonces mismatch
+        nonce: rawNonce,
+      });
+
+      if (error) {
+        throw new OneKeyLocalError(error.message);
+      }
+
+      if (!data.session) {
+        throw new OneKeyLocalError(
+          'Failed to exchange Google ID token for session',
+        );
+      }
+
+      const accessToken = data.session.access_token;
+      const refreshToken = data.session.refresh_token;
+
+      // Handle session persistence
+      await handleSessionPersistence({
+        accessToken,
+        refreshToken,
+      });
+
+      return {
+        success: true,
+        session: { accessToken, refreshToken },
+      };
+    } catch (error) {
+      // Handle specific GoogleSignin errors
+      if (OAuthPopup.isUserCancelledError(error)) {
+        throw new OneKeyLocalError('OAuth sign-in was cancelled');
+      }
+      throw OAuthPopup.wrapError(error, 'Google Sign-In failed');
+    }
+  }
+
+  // ============ Private Methods - WebBrowser ============
+
+  /**
+   * Open OAuth using expo-web-browser.openAuthSessionAsync.
+   *
+   * This is the fallback method that opens an in-app browser.
+   * Uses PKCE flow: extracts authorization code and exchanges for session.
+   */
+  private static async openWithWebBrowser(
+    options: IOAuthPopupOptions,
+  ): Promise<IOAuthPopupResult> {
+    const {
+      authUrl,
+      redirectTo: redirectToFromOptions,
+      handleSessionPersistence,
+      client,
+    } = options;
+
+    if (!authUrl) {
+      throw new OneKeyLocalError('OAuth URL is required for WebBrowser method');
+    }
+
+    if (!redirectToFromOptions) {
+      throw new OneKeyLocalError(
+        'redirectTo is required. Call OAuthPopup.getRedirectUrl() first.',
+      );
+    }
+
+    if (!client) {
+      throw new OneKeyLocalError(
+        'Supabase client is required for WebBrowser method',
+      );
+    }
+
+    const redirectTo = redirectToFromOptions;
+
+    // Parse expected states for validation
+    const { expectedState, expectedOneKeyState } =
+      OAuthPopup.parseExpectedStates(authUrl);
+
+    // Open in-app browser for OAuth
+    const browserResult = await WebBrowser.openAuthSessionAsync(
+      authUrl,
+      redirectTo,
+      {
+        showInRecents: true,
+        preferEphemeralSession: false,
+      },
+    );
+
+    Dialog.debugMessage({
+      title: 'WebBrowser.openAuthSessionAsync',
+      debugMessage: {
+        browserResult,
+      },
+    });
+
+    if (browserResult.type === 'success' && browserResult.url) {
+      const url = new URL(browserResult.url);
+
+      // Check for error in callback
+      const error =
+        url.searchParams.get('error') ||
+        url.searchParams.get('error_description');
+      if (error) {
+        throw new OneKeyLocalError(error);
+      }
+
+      // PKCE flow: extract authorization code
+      const code = url.searchParams.get('code');
+      const state = url.searchParams.get('state');
+      const oneKeyState = url.searchParams.get(ONEKEY_OAUTH_STATE_KEY);
+
+      if (code) {
+        // Validate states
+        OAuthPopup.validateOneKeyState(expectedOneKeyState, oneKeyState);
+        OAuthPopup.validateSupabaseState(expectedState, state);
+
+        // Exchange code for session using PKCE
+        const { accessToken, refreshToken } =
+          await OAuthPopup.exchangeCodeForSession(client, code);
+
+        await handleSessionPersistence({
+          accessToken,
+          refreshToken,
+        });
+
+        return {
+          success: true,
+          session: { accessToken, refreshToken },
+        };
+      }
+
+      // NOTE: We intentionally do NOT support Implicit Flow fallback here.
+      // Implicit Flow returns access_token directly in URL hash, which is less secure.
+      // Since Supabase is configured with flowType: 'pkce', only authorization codes
+      // are returned, and this fallback would never be triggered anyway.
+      // If we reach here without a code, the OAuth flow has failed.
+      throw new OneKeyLocalError(
+        'OAuth callback missing authorization code. PKCE flow required.',
+      );
+    }
+
+    if (browserResult.type === 'cancel') {
+      throw new OneKeyLocalError('OAuth sign-in was cancelled');
+    }
+
+    throw new OneKeyLocalError('OAuth sign-in failed');
+  }
+}
diff --git a/packages/kit/src/components/OneKeyAuth/OAuthPopup/OAuthPopup.tsx b/packages/kit/src/components/OneKeyAuth/OAuthPopup/OAuthPopup.tsx
new file mode 100644
index 000000000000..ec6965f8d5ff
--- /dev/null
+++ b/packages/kit/src/components/OneKeyAuth/OAuthPopup/OAuthPopup.tsx
@@ -0,0 +1,264 @@
+import {
+  OAUTH_CALLBACK_WEB_PATH,
+  OAUTH_FLOW_TIMEOUT_MS,
+  OAUTH_POLL_INTERVAL_MS,
+  OAUTH_POPUP_HEIGHT,
+  OAUTH_POPUP_WIDTH,
+  ONEKEY_OAUTH_STATE_KEY,
+} from '@onekeyhq/shared/src/consts/authConsts';
+import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
+
+import { OAuthPopupBase } from './OAuthPopupBase';
+
+import type { IOAuthPopupOptions, IOAuthPopupResult } from './types';
+
+// ============================================================================
+// Web OAuth Popup Implementation
+// ============================================================================
+
+/**
+ * OAuth popup implementation for web platform.
+ *
+ * Uses a popup window for OAuth authentication.
+ * Polls the popup URL to detect callback and extract authorization code.
+ * Uses Supabase PKCE flow for secure token exchange.
+ */
+export class OAuthPopup extends OAuthPopupBase {
+  // ============ Public API ============
+
+  /**
+   * Get OAuth redirect URL for web platform.
+   *
+   * Uses the current origin with /oauth_callback_web path.
+   * Example: https://app.onekey.so/oauth_callback_web
+   */
+  static override getRedirectUrl(): Promise<string> {
+    return Promise.resolve(
+      `${globalThis.location?.origin || ''}${OAUTH_CALLBACK_WEB_PATH}`,
+    );
+  }
+
+  /**
+   * Open OAuth popup window and return result.
+   *
+   * Flow:
+   * 1. Open popup window with OAuth URL
+   * 2. Poll popup URL for authorization code
+   * 3. Exchange code for session using Supabase PKCE
+   * 4. Handle session persistence
+   */
+  static override async open(
+    options: IOAuthPopupOptions,
+  ): Promise<IOAuthPopupResult> {
+    const { authUrl, client, handleSessionPersistence } = options;
+
+    if (!authUrl) {
+      throw new OneKeyLocalError('OAuth URL is required');
+    }
+
+    if (!client) {
+      throw new OneKeyLocalError('Supabase client is required');
+    }
+
+    return new Promise((resolve, reject) => {
+      let settled = false;
+      let inFlight = false;
+      let pollIntervalId: ReturnType<typeof setInterval> | null = null;
+      let timeoutId: ReturnType<typeof setTimeout> | null = null;
+
+      // Parse expected states for validation
+      const { expectedState, expectedOneKeyState } =
+        OAuthPopup.parseExpectedStates(authUrl);
+
+      const cleanup = (popup: Window | null) => {
+        if (pollIntervalId) {
+          clearInterval(pollIntervalId);
+          pollIntervalId = null;
+        }
+        if (timeoutId) {
+          clearTimeout(timeoutId);
+          timeoutId = null;
+        }
+        if (popup && !popup.closed) {
+          OAuthPopup.closePopup(popup);
+        }
+      };
+
+      const resolveOnce = (result: IOAuthPopupResult, popup: Window | null) => {
+        if (settled) {
+          return;
+        }
+        settled = true;
+        cleanup(popup);
+        resolve(result);
+      };
+
+      const rejectOnce = (error: unknown, popup: Window | null) => {
+        if (settled) {
+          return;
+        }
+        settled = true;
+        cleanup(popup);
+        reject(error);
+      };
+
+      // Calculate popup window position (centered)
+      const width = OAUTH_POPUP_WIDTH;
+      const height = OAUTH_POPUP_HEIGHT;
+      const left = globalThis.screenX + (globalThis.outerWidth - width) / 2;
+      const top = globalThis.screenY + (globalThis.outerHeight - height) / 2;
+
+      // Open popup window
+      const popup = globalThis.open(
+        authUrl,
+        'oauth_popup',
+        `width=${width},height=${height},left=${left},top=${top},menubar=no,toolbar=no,location=no,status=no,scrollbars=yes,resizable=yes`,
+      );
+
+      if (!popup) {
+        rejectOnce(
+          new OneKeyLocalError(
+            'Popup was blocked. Please allow popups and try again.',
+          ),
+          null,
+        );
+        return;
+      }
+
+      OAuthPopup.focusPopup(popup);
+
+      // Poll for popup close and check for auth code (PKCE flow)
+      pollIntervalId = setInterval(() => {
+        if (inFlight) {
+          return;
+        }
+        inFlight = true;
+
+        void (async () => {
+          try {
+            if (settled) {
+              return;
+            }
+
+            OAuthPopup.focusPopup(popup);
+
+            // Check if popup is closed
+            if (popup.closed) {
+              // Check if we got a session after popup closed
+              const { data } = await client.auth.getSession();
+              if (data.session) {
+                const accessToken = data.session.access_token;
+                const refreshToken = data.session.refresh_token;
+
+                await handleSessionPersistence({
+                  accessToken,
+                  refreshToken,
+                });
+
+                resolveOnce(
+                  {
+                    success: true,
+                    session: { accessToken, refreshToken },
+                  },
+                  popup,
+                );
+              } else {
+                rejectOnce(
+                  new OneKeyLocalError(
+                    'OAuth authentication failed: no session found after popup closed',
+                  ),
+                  popup,
+                );
+              }
+              return;
+            }
+
+            // Try to read the popup URL to check for callback
+            try {
+              const popupUrl = popup.location.href;
+              // PKCE flow: check for 'code' parameter in URL
+              if (popupUrl && popupUrl.includes('code=')) {
+                OAuthPopup.closePopup(popup);
+
+                // Parse authorization code from URL query string
+                const url = new URL(popupUrl);
+                const code = url.searchParams.get('code');
+                const state = url.searchParams.get('state');
+                const oneKeyState = url.searchParams.get(
+                  ONEKEY_OAUTH_STATE_KEY,
+                );
+
+                if (!code) {
+                  rejectOnce(
+                    new OneKeyLocalError('Authorization code is missing'),
+                    popup,
+                  );
+                  return;
+                }
+
+                // Validate states
+                OAuthPopup.validateOneKeyState(
+                  expectedOneKeyState,
+                  oneKeyState,
+                );
+                OAuthPopup.validateSupabaseState(expectedState, state);
+
+                // Exchange code for session
+                const { accessToken, refreshToken } =
+                  await OAuthPopup.exchangeCodeForSession(client, code);
+
+                await handleSessionPersistence({
+                  accessToken,
+                  refreshToken,
+                });
+
+                resolveOnce(
+                  {
+                    success: true,
+                    session: { accessToken, refreshToken },
+                  },
+                  popup,
+                );
+              }
+            } catch {
+              // Cross-origin error - popup is on different domain, continue polling
+            }
+          } catch (error) {
+            rejectOnce(error, popup);
+          } finally {
+            inFlight = false;
+          }
+        })();
+      }, OAUTH_POLL_INTERVAL_MS);
+
+      // Cleanup after timeout
+      timeoutId = setTimeout(() => {
+        rejectOnce(new OneKeyLocalError('OAuth sign-in timed out'), popup);
+      }, OAUTH_FLOW_TIMEOUT_MS);
+    });
+  }
+
+  // ============ Private Methods ============
+
+  /**
+   * Focus the popup window to bring it to front.
+   */
+  private static focusPopup(win: Window | null): void {
+    try {
+      win?.focus();
+    } catch {
+      // Focusing may fail, silently ignore
+    }
+  }
+
+  /**
+   * Close the popup window safely.
+   */
+  private static closePopup(win: Window | null): void {
+    try {
+      win?.close();
+    } catch {
+      // Closing may fail, silently ignore
+    }
+  }
+}
diff --git a/packages/kit/src/components/OneKeyAuth/OAuthPopup/OAuthPopupBase.ts b/packages/kit/src/components/OneKeyAuth/OAuthPopup/OAuthPopupBase.ts
new file mode 100644
index 000000000000..9b5c634d3ead
--- /dev/null
+++ b/packages/kit/src/components/OneKeyAuth/OAuthPopup/OAuthPopupBase.ts
@@ -0,0 +1,201 @@
+import {
+  OAUTH_FLOW_TIMEOUT_MS,
+  ONEKEY_OAUTH_STATE_KEY,
+} from '@onekeyhq/shared/src/consts/authConsts';
+import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
+
+import type { IOAuthPopupOptions, IOAuthPopupResult } from './types';
+import type { SupabaseClient } from '@supabase/supabase-js';
+
+// ============================================================================
+// Parsed States Type
+// ============================================================================
+
+export interface IParsedOAuthStates {
+  // Supabase OAuth state (anti-CSRF)
+  expectedState: string | null;
+  // OneKey custom state (defense-in-depth)
+  expectedOneKeyState: string | null;
+}
+
+// ============================================================================
+// Abstract Base Class
+// ============================================================================
+
+/**
+ * Abstract base class for OAuth popup implementations.
+ *
+ * Each platform (web, ext, desktop, native) extends this class
+ * and implements the abstract methods.
+ */
+export abstract class OAuthPopupBase {
+  // ============ Abstract Methods (platforms must implement) ============
+
+  /**
+   * Get the OAuth redirect URL for this platform.
+   * Some platforms return a Promise (e.g., desktop needs to start a server first).
+   */
+  static getRedirectUrl(): Promise<string> {
+    throw new OneKeyLocalError(
+      'OAuthPopupBase.getRedirectUrl() must be implemented by platform',
+    );
+  }
+
+  /**
+   * Open OAuth popup and return result.
+   * Platform implementations handle the OAuth flow internally.
+   */
+  static open(_options: IOAuthPopupOptions): Promise<IOAuthPopupResult> {
+    throw new OneKeyLocalError(
+      'OAuthPopupBase.open() must be implemented by platform',
+    );
+  }
+
+  // ============ Protected Shared Utilities ============
+
+  /**
+   * Parse expected states from Supabase OAuth URL.
+   *
+   * Extracts:
+   * - Supabase state parameter (for CSRF protection)
+   * - OneKey custom state from redirect_to URL (defense-in-depth)
+   */
+  protected static parseExpectedStates(authUrl: string): IParsedOAuthStates {
+    try {
+      const authUrlObj = new URL(authUrl);
+      const expectedState = authUrlObj.searchParams.get('state');
+
+      // Parse our own state from the embedded redirect_to URL
+      let expectedOneKeyState: string | null = null;
+      const redirectTo = authUrlObj.searchParams.get('redirect_to');
+      if (redirectTo) {
+        try {
+          const redirectToUrl = new URL(redirectTo);
+          expectedOneKeyState = redirectToUrl.searchParams.get(
+            ONEKEY_OAUTH_STATE_KEY,
+          );
+        } catch {
+          expectedOneKeyState = null;
+        }
+      }
+
+      return { expectedState, expectedOneKeyState };
+    } catch {
+      return { expectedState: null, expectedOneKeyState: null };
+    }
+  }
+
+  /**
+   * Validate OneKey custom state parameter (defense-in-depth).
+   * Throws if validation fails.
+   */
+  protected static validateOneKeyState(
+    expectedState: string | null,
+    actualState: string | null,
+  ): void {
+    if (!expectedState) {
+      throw new OneKeyLocalError('Expected OneKey OAuth state is missing');
+    }
+    if (!actualState) {
+      throw new OneKeyLocalError('OAuth state is missing');
+    }
+    if (actualState !== expectedState) {
+      throw new OneKeyLocalError('OAuth state mismatch');
+    }
+  }
+
+  /**
+   * Validate Supabase OAuth state parameter (anti-CSRF).
+   * Only validates if expectedState is provided.
+   * Throws if validation fails.
+   */
+  protected static validateSupabaseState(
+    expectedState: string | null,
+    actualState: string | null,
+  ): void {
+    if (expectedState) {
+      if (!actualState) {
+        throw new OneKeyLocalError('OAuth state is missing');
+      }
+      if (actualState !== expectedState) {
+        throw new OneKeyLocalError('OAuth state mismatch');
+      }
+    }
+  }
+
+  /**
+   * Create a timeout promise that rejects after specified milliseconds.
+   */
+  protected static createTimeoutPromise(
+    ms: number = OAUTH_FLOW_TIMEOUT_MS,
+  ): Promise<never> {
+    return new Promise((_, reject) => {
+      setTimeout(() => {
+        reject(new OneKeyLocalError('OAuth sign-in timed out'));
+      }, ms);
+    });
+  }
+
+  /**
+   * Race a promise against timeout.
+   * Returns the promise result or throws timeout error.
+   */
+  protected static async withTimeout<T>(
+    promise: Promise<T>,
+    ms: number = OAUTH_FLOW_TIMEOUT_MS,
+  ): Promise<T> {
+    return Promise.race([promise, this.createTimeoutPromise(ms)]);
+  }
+
+  /**
+   * Exchange authorization code for session using Supabase PKCE flow.
+   * The Supabase client automatically uses the stored code_verifier.
+   */
+  protected static async exchangeCodeForSession(
+    client: SupabaseClient,
+    code: string,
+  ): Promise<{ accessToken: string; refreshToken: string }> {
+    const { data, error } = await client.auth.exchangeCodeForSession(code);
+
+    if (error) {
+      throw new OneKeyLocalError(error.message);
+    }
+
+    if (!data.session) {
+      throw new OneKeyLocalError(
+        'Failed to exchange authorization code for session',
+      );
+    }
+
+    return {
+      accessToken: data.session.access_token,
+      refreshToken: data.session.refresh_token,
+    };
+  }
+
+  /**
+   * Wrap error with OneKeyLocalError if not already.
+   */
+  protected static wrapError(error: unknown, fallbackMessage: string): Error {
+    if (error instanceof OneKeyLocalError) {
+      return error;
+    }
+    return new OneKeyLocalError(
+      error instanceof Error ? error.message : fallbackMessage,
+    );
+  }
+
+  /**
+   * Check if error indicates user cancelled OAuth.
+   */
+  protected static isUserCancelledError(error: unknown): boolean {
+    if (error instanceof Error) {
+      return (
+        error.message.includes('The user did not approve') ||
+        error.message.includes('cancelled') ||
+        error.message.includes('canceled')
+      );
+    }
+    return false;
+  }
+}
diff --git a/packages/kit/src/components/OneKeyAuth/OAuthPopup/index.ts b/packages/kit/src/components/OneKeyAuth/OAuthPopup/index.ts
new file mode 100644
index 000000000000..ffa621164b75
--- /dev/null
+++ b/packages/kit/src/components/OneKeyAuth/OAuthPopup/index.ts
@@ -0,0 +1,20 @@
+// Re-export platform-specific OAuthPopup class
+// The bundler will automatically select the correct file based on platform:
+// - OAuthPopup.web.tsx for web
+// - OAuthPopup.ext.tsx for browser extension
+// - OAuthPopup.desktop.tsx for desktop (Electron)
+// - OAuthPopup.native.tsx for native (iOS/Android)
+
+export { OAuthPopup } from './OAuthPopup';
+
+// Re-export types
+export type {
+  IHandleOAuthSessionPersistenceParams,
+  IOAuthPopupOptions,
+  IOAuthPopupResult,
+  IOpenOAuthPopupOptions,
+} from './types';
+
+// Re-export base class for advanced use cases
+export { OAuthPopupBase } from './OAuthPopupBase';
+export type { IParsedOAuthStates } from './OAuthPopupBase';
diff --git a/packages/kit/src/components/OneKeyAuth/OAuthPopup/types.ts b/packages/kit/src/components/OneKeyAuth/OAuthPopup/types.ts
new file mode 100644
index 000000000000..e05748082251
--- /dev/null
+++ b/packages/kit/src/components/OneKeyAuth/OAuthPopup/types.ts
@@ -0,0 +1,51 @@
+import type { SupabaseClient } from '@supabase/supabase-js';
+
+// ============================================================================
+// Session Persistence Types
+// ============================================================================
+
+export type IHandleOAuthSessionPersistenceParams = {
+  accessToken: string;
+  refreshToken: string;
+};
+
+// ============================================================================
+// OAuth Result Types
+// ============================================================================
+
+export type IOAuthPopupResult = {
+  success: boolean;
+  session?: {
+    accessToken: string;
+    refreshToken: string;
+  };
+};
+
+// ============================================================================
+// OAuth Options Types
+// ============================================================================
+
+export type IOpenOAuthPopupOptions = {
+  // Whether to persist the session to storage
+  // When false (default): Only return tokens, don't call setSession
+  persistSession?: boolean;
+};
+
+/**
+ * Unified OAuth popup options for all platforms
+ */
+export interface IOAuthPopupOptions {
+  // The OAuth provider (google, apple, etc.)
+  provider?: 'google' | 'apple';
+  // The OAuth authorization URL to open
+  authUrl?: string;
+  // The OAuth redirect URL (with onekey_oauth_state if needed)
+  // This should be the same URL passed to Supabase signInWithOAuth
+  redirectTo?: string;
+  // Supabase client instance (for code exchange)
+  client?: SupabaseClient;
+  // Function to handle session persistence after OAuth success
+  handleSessionPersistence: (
+    params: IHandleOAuthSessionPersistenceParams,
+  ) => Promise<void>;
+}
diff --git a/packages/kit/src/components/OneKeyAuth/oauthUtils.ts b/packages/kit/src/components/OneKeyAuth/oauthUtils.ts
new file mode 100644
index 000000000000..362337754be6
--- /dev/null
+++ b/packages/kit/src/components/OneKeyAuth/oauthUtils.ts
@@ -0,0 +1,43 @@
+import { ONEKEY_OAUTH_STATE_KEY } from '@onekeyhq/shared/src/consts/authConsts';
+
+/**
+ * Ensures that the redirectTo URL contains ONEKEY_OAUTH_STATE_KEY parameter.
+ * If the parameter is missing, generates a cryptographically secure random state
+ * and appends it to the URL.
+ *
+ * Defense-in-depth: Supabase PKCE URL may not include `state`. We embed our own
+ * nonce into redirectTo so the callback must carry it back to us.
+ *
+ * @param redirectTo - The redirect URL to ensure state parameter exists
+ * @returns The redirect URL with ONEKEY_OAUTH_STATE_KEY parameter guaranteed to exist, or original URL if crypto is unavailable
+ */
+export function ensureOneKeyOAuthState(
+  redirectTo: string | undefined,
+): string | undefined {
+  if (!redirectTo) {
+    return redirectTo;
+  }
+
+  try {
+    const redirectUrl = new URL(redirectTo);
+    if (!redirectUrl.searchParams.has(ONEKEY_OAUTH_STATE_KEY)) {
+      // Prefer crypto-grade random; if unavailable, skip rather than generating weak state.
+      const bytes = new Uint8Array(16);
+      const cryptoObj = globalThis.crypto as
+        | undefined
+        | { getRandomValues: (arr: Uint8Array) => Uint8Array };
+      if (cryptoObj?.getRandomValues) {
+        cryptoObj.getRandomValues(bytes);
+        const state = Array.from(bytes)
+          .map((b) => b.toString(16).padStart(2, '0'))
+          .join('');
+        redirectUrl.searchParams.set(ONEKEY_OAUTH_STATE_KEY, state);
+        return redirectUrl.toString();
+      }
+    }
+    return redirectTo;
+  } catch {
+    // If URL parsing fails, return original URL
+    return redirectTo;
+  }
+}
diff --git a/packages/kit/src/components/OneKeyAuth/openOAuthPopupDesktop.tsx b/packages/kit/src/components/OneKeyAuth/openOAuthPopupDesktop.tsx
deleted file mode 100644
index 9ecb22f8d667..000000000000
--- a/packages/kit/src/components/OneKeyAuth/openOAuthPopupDesktop.tsx
+++ /dev/null
@@ -1,373 +0,0 @@
-import type { IDesktopOpenUrlEventData } from '@onekeyhq/desktop/app/app';
-import { ipcMessageKeys } from '@onekeyhq/desktop/app/config';
-import {
-  EDesktopOAuthMethod,
-  OAUTH_DESKTOP_WEBVIEW_HEIGHT,
-  OAUTH_DESKTOP_WEBVIEW_WIDTH,
-  OAUTH_FLOW_TIMEOUT_MS,
-  OAUTH_TOKEN_KEY_ACCESS_TOKEN,
-  OAUTH_TOKEN_KEY_REFRESH_TOKEN,
-} from '@onekeyhq/shared/src/consts/authConsts';
-import { ONEKEY_APP_DEEP_LINK } from '@onekeyhq/shared/src/consts/deeplinkConsts';
-import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
-
-import type {
-  IHandleOAuthSessionPersistenceParams,
-  IOAuthPopupResult,
-} from './openOAuthPopupTypes';
-
-// ============================================================================
-// Desktop OAuth Methods
-// ============================================================================
-
-/**
- * Get OAuth redirect URL for desktop platform (Electron)
- *
- * Both WEBVIEW and DEEP_LINK methods use the same deep link scheme.
- * - WEBVIEW: The webview intercepts navigation to this URL before it actually navigates
- * - DEEP_LINK: The system handles this URL via registered protocol
- *
- * Desktop registers onekey-wallet:// via app.setAsDefaultProtocolClient() in apps/desktop/app/app.ts
- *
- * @param _method - The desktop OAuth method (currently both methods use the same URL)
- * @returns The redirect URL for desktop OAuth
- */
-export async function getOAuthRedirectUrlDesktop(
-  method: EDesktopOAuthMethod,
-): Promise<string> {
-  // Desktop LOCALHOST: use Supabase OAuth (skipBrowserRedirect) and a localhost callback.
-  // Flow: Google -> Supabase -> localhost (`code` in query, PKCE) -> app persists session.
-  if (method === EDesktopOAuthMethod.LOCALHOST_SERVER) {
-    if (!globalThis.desktopApiProxy?.oauthLocalServer) {
-      throw new OneKeyLocalError(
-        'Desktop OAuth Local Server API is not available',
-      );
-    }
-    let port = 0;
-    try {
-      const serverResult =
-        await globalThis.desktopApiProxy.oauthLocalServer.startServer();
-      port = serverResult.port;
-    } catch (e) {
-      throw new OneKeyLocalError(
-        'OAuth local ports are occupied. Please close conflicting apps and try again.',
-      );
-    }
-    if (!port) {
-      throw new OneKeyLocalError('OAuth local server returned invalid port.');
-    }
-    return `http://127.0.0.1:${port}/callback`;
-  }
-
-  // Both WEBVIEW and DEEP_LINK methods use the same deep link URL
-  // The difference is how the URL is handled:
-  // - WEBVIEW: Intercepted by webview navigation event
-  // - DEEP_LINK: Handled by system protocol registration
-  return `${ONEKEY_APP_DEEP_LINK}auth/callback`;
-}
-
-/**
- * OAuth webview helper for Desktop (Electron) platform - WEBVIEW method
- *
- * Opens OAuth in an in-app webview dialog and intercepts the redirect.
- * The webview monitors navigation and extracts tokens when the URL
- * matches our redirect pattern (onekey-wallet://auth/callback)
- *
- * Pros:
- *   - Better UX - OAuth happens within the app
- *   - No need for system deep link registration
- *   - More reliable token extraction
- *
- * @param options - Configuration options
- * @param options.authUrl - The OAuth authorization URL to open
- * @param options.handleSessionPersistence - Function to handle session persistence
- * @param options.persistSession - Whether to persist the session
- * @returns Promise with success status and session tokens
- */
-export function openOAuthPopupDesktopWebview(options: {
-  authUrl: string;
-  handleSessionPersistence: (
-    params: IHandleOAuthSessionPersistenceParams,
-  ) => Promise<void>;
-  persistSession?: boolean;
-}): Promise<IOAuthPopupResult> {
-  const { authUrl, handleSessionPersistence, persistSession } = options;
-
-  return new Promise((resolve, reject) => {
-    // Create a container for the OAuth webview
-    const container = document.createElement('div');
-    container.id = 'oauth-webview-container';
-    container.style.cssText = `
-      position: fixed;
-      top: 0;
-      left: 0;
-      right: 0;
-      bottom: 0;
-      background: rgba(0, 0, 0, 0.5);
-      display: flex;
-      justify-content: center;
-      align-items: center;
-      z-index: 99999;
-    `;
-
-    // Create webview wrapper
-    const wrapper = document.createElement('div');
-    wrapper.style.cssText = `
-      width: ${OAUTH_DESKTOP_WEBVIEW_WIDTH}px;
-      height: ${OAUTH_DESKTOP_WEBVIEW_HEIGHT}px;
-      background: white;
-      border-radius: 12px;
-      overflow: hidden;
-      box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
-      display: flex;
-      flex-direction: column;
-    `;
-
-    // Create header with close button
-    const header = document.createElement('div');
-    header.style.cssText = `
-      display: flex;
-      justify-content: space-between;
-      align-items: center;
-      padding: 12px 16px;
-      border-bottom: 1px solid #e5e5e5;
-      background: #f5f5f5;
-    `;
-
-    const title = document.createElement('span');
-    title.textContent = 'Sign in';
-    title.style.cssText = 'font-weight: 600; font-size: 14px;';
-
-    const closeButton = document.createElement('button');
-    closeButton.textContent = '✕';
-    closeButton.style.cssText = `
-      border: none;
-      background: none;
-      font-size: 18px;
-      cursor: pointer;
-      padding: 4px 8px;
-      border-radius: 4px;
-    `;
-    closeButton.onmouseover = () => {
-      closeButton.style.background = '#e0e0e0';
-    };
-    closeButton.onmouseout = () => {
-      closeButton.style.background = 'none';
-    };
-    closeButton.onclick = () => {
-      container.remove();
-      reject(new OneKeyLocalError('OAuth sign-in was cancelled'));
-    };
-
-    header.appendChild(title);
-    header.appendChild(closeButton);
-
-    // Create webview element
-    const webview = document.createElement('webview');
-    webview.setAttribute('src', authUrl);
-    webview.setAttribute('partition', 'persist:onekey-oauth');
-    webview.style.cssText = 'flex: 1; width: 100%;';
-
-    // Handle navigation events to intercept OAuth callback
-    const handleDidStartNavigation = async (event: Event) => {
-      const navEvent = event as unknown as {
-        url: string;
-        isMainFrame: boolean;
-      };
-      const { url: navUrl, isMainFrame } = navEvent;
-
-      // Check if this is our OAuth callback
-      if (
-        isMainFrame &&
-        navUrl?.startsWith(`${ONEKEY_APP_DEEP_LINK}auth/callback`)
-      ) {
-        // Stop loading - we can't actually navigate to onekey-wallet://
-        (webview as unknown as { stop: () => void }).stop?.();
-
-        // Remove the container
-        container.remove();
-
-        try {
-          // Parse tokens from the callback URL
-          const parsedUrl = new URL(navUrl);
-          const hashParams = new URLSearchParams(
-            parsedUrl.hash.substring(1) || parsedUrl.search.substring(1),
-          );
-
-          const accessToken = hashParams.get(OAUTH_TOKEN_KEY_ACCESS_TOKEN);
-          const refreshToken = hashParams.get(OAUTH_TOKEN_KEY_REFRESH_TOKEN);
-
-          if (accessToken && refreshToken) {
-            await handleSessionPersistence({
-              accessToken,
-              refreshToken,
-              persistSession,
-            });
-
-            resolve({
-              success: true,
-              session: {
-                accessToken,
-                refreshToken,
-              },
-            });
-          } else {
-            resolve({
-              success: false,
-              session: undefined,
-            });
-          }
-        } catch (error) {
-          reject(error);
-        }
-      }
-    };
-
-    webview.addEventListener('did-start-navigation', handleDidStartNavigation);
-
-    // Handle webview load errors (e.g., if OAuth page fails to load)
-    webview.addEventListener('did-fail-load', (event: Event) => {
-      const failEvent = event as unknown as {
-        errorCode: number;
-        errorDescription: string;
-        validatedURL: string;
-        isMainFrame: boolean;
-      };
-      // Ignore aborted loads (e.g., when we stop navigation to callback URL)
-      if (failEvent.errorCode === -3) {
-        return;
-      }
-      // Only handle main frame errors
-      if (failEvent.isMainFrame) {
-        container.remove();
-        reject(
-          new OneKeyLocalError(
-            `OAuth page failed to load: ${failEvent.errorDescription}`,
-          ),
-        );
-      }
-    });
-
-    // Assemble the UI
-    wrapper.appendChild(header);
-    wrapper.appendChild(webview);
-    container.appendChild(wrapper);
-    document.body.appendChild(container);
-
-    // Click outside to close
-    container.onclick = (e) => {
-      if (e.target === container) {
-        container.remove();
-        reject(new OneKeyLocalError('OAuth sign-in was cancelled'));
-      }
-    };
-
-    // Set a timeout
-    setTimeout(() => {
-      if (document.body.contains(container)) {
-        container.remove();
-        reject(new OneKeyLocalError('OAuth sign-in timed out'));
-      }
-    }, OAUTH_FLOW_TIMEOUT_MS); // 5 minutes timeout
-  });
-}
-
-/**
- * OAuth helper for Desktop (Electron) platform - DEEP_LINK method
- *
- * Opens OAuth URL in system browser and listens for deep link callback.
- * Requires onekey-wallet:// protocol to be registered with the system.
- *
- * How it works:
- * 1. Opens OAuth URL in system browser via shell.openExternal
- * 2. User completes OAuth in browser
- * 3. Browser redirects to onekey-wallet://auth/callback?tokens...
- * 4. System routes this URL to our Electron app
- * 5. App receives the URL via IPC and extracts tokens
- *
- * @param options - Configuration options
- * @param options.authUrl - The OAuth authorization URL to open
- * @param options.handleSessionPersistence - Function to handle session persistence
- * @param options.persistSession - Whether to persist the session
- * @returns Promise with success status and session tokens
- */
-export function openOAuthPopupDesktopDeepLink(options: {
-  authUrl: string;
-  handleSessionPersistence: (
-    params: IHandleOAuthSessionPersistenceParams,
-  ) => Promise<void>;
-  persistSession?: boolean;
-}): Promise<IOAuthPopupResult> {
-  const { authUrl, handleSessionPersistence, persistSession } = options;
-
-  return new Promise((resolve, reject) => {
-    // Set up deep link listener for OAuth callback
-    const handleOAuthCallback = async (
-      _event: Event,
-      data: IDesktopOpenUrlEventData,
-    ) => {
-      const { url } = data;
-      // Check if this is our OAuth callback
-      if (url?.startsWith(`${ONEKEY_APP_DEEP_LINK}auth/callback`)) {
-        // Remove listener once we got the callback
-        globalThis.desktopApi.removeIpcEventListener(
-          ipcMessageKeys.EVENT_OPEN_URL,
-          handleOAuthCallback,
-        );
-
-        try {
-          // Parse tokens from the callback URL
-          const parsedUrl = new URL(url);
-          const hashParams = new URLSearchParams(
-            parsedUrl.hash.substring(1) || parsedUrl.search.substring(1),
-          );
-
-          const accessToken = hashParams.get(OAUTH_TOKEN_KEY_ACCESS_TOKEN);
-          const refreshToken = hashParams.get(OAUTH_TOKEN_KEY_REFRESH_TOKEN);
-
-          if (accessToken && refreshToken) {
-            await handleSessionPersistence({
-              accessToken,
-              refreshToken,
-              persistSession,
-            });
-
-            resolve({
-              success: true,
-              session: {
-                accessToken,
-                refreshToken,
-              },
-            });
-          } else {
-            resolve({
-              success: false,
-              session: undefined,
-            });
-          }
-        } catch (error) {
-          reject(error);
-        }
-      }
-    };
-
-    // Add the listener
-    globalThis.desktopApi.addIpcEventListener(
-      ipcMessageKeys.EVENT_OPEN_URL,
-      handleOAuthCallback,
-    );
-
-    // Open OAuth URL in system browser
-    // On Electron, window.open with _blank target is intercepted and opens via shell.openExternal
-    window.open(authUrl, '_blank');
-
-    // Set a timeout to clean up listener if OAuth takes too long
-    setTimeout(() => {
-      globalThis.desktopApi.removeIpcEventListener(
-        ipcMessageKeys.EVENT_OPEN_URL,
-        handleOAuthCallback,
-      );
-      reject(new OneKeyLocalError('OAuth sign-in timed out'));
-    }, OAUTH_FLOW_TIMEOUT_MS); // 5 minutes timeout
-  });
-}
diff --git a/packages/kit/src/components/OneKeyAuth/openOAuthPopupDesktopLocalhost.ts b/packages/kit/src/components/OneKeyAuth/openOAuthPopupDesktopLocalhost.ts
deleted file mode 100644
index aadd110e325f..000000000000
--- a/packages/kit/src/components/OneKeyAuth/openOAuthPopupDesktopLocalhost.ts
+++ /dev/null
@@ -1,259 +0,0 @@
-import { Dialog } from '@onekeyhq/components';
-import type { IDialogInstance } from '@onekeyhq/components';
-import {
-  OAUTH_CALLBACK_DESKTOP_CHANNEL,
-  OAUTH_FLOW_TIMEOUT_MS,
-} from '@onekeyhq/shared/src/consts/authConsts';
-import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
-import platformEnv from '@onekeyhq/shared/src/platformEnv';
-
-import type {
-  IHandleOAuthSessionPersistenceParams,
-  IOAuthPopupResult,
-} from './openOAuthPopupTypes';
-import type { SupabaseClient } from '@supabase/supabase-js';
-
-/**
- * OAuth helper for Desktop (Electron) platform using localhost HTTP server
- * with Supabase OAuth redirecting back to localhost (fixed port range).
- *
- * This method uses Supabase as the OAuth intermediary with PKCE flow:
- * Google -> Supabase -> localhost callback (authorization code in URL query)
- *
- * How it works:
- * 1. Main process starts a localhost HTTP server on a fixed port range
- * 2. Renderer opens Supabase OAuth URL in system browser (skipBrowserRedirect=true)
- * 3. Supabase handles Google OAuth and redirects back with authorization code
- * 4. Main process extracts code from URL query and sends it to renderer via IPC
- * 5. Renderer exchanges code for session tokens using Supabase client
- * 6. Renderer persists session via handleSessionPersistence
- *
- * Supabase Configuration:
- * - Add Redirect URLs (fixed port range)
- *
- * @param options - Configuration options
- * @param options.authUrl - Supabase OAuth URL (skipBrowserRedirect=true)
- * @param options.client - Supabase client instance for exchanging code
- * @param options.handleSessionPersistence - Function to handle session persistence
- * @param options.persistSession - Whether to persist the session
- * @returns Promise with success status and session tokens
- */
-export async function openOAuthPopupDesktopLocalhost(options: {
-  authUrl: string;
-  client: SupabaseClient;
-  handleSessionPersistence: (
-    params: IHandleOAuthSessionPersistenceParams,
-  ) => Promise<void>;
-  persistSession?: boolean;
-}): Promise<IOAuthPopupResult> {
-  const { authUrl, client, handleSessionPersistence, persistSession } = options;
-
-  // Check if desktopApiProxy is available
-  if (!platformEnv.isDesktop || !globalThis.desktopApiProxy?.oauthLocalServer) {
-    throw new OneKeyLocalError(
-      'Desktop OAuth Local Server API is not available',
-    );
-  }
-
-  return new Promise((resolve, reject) => {
-    void (async () => {
-      try {
-        let settled = false;
-        let timeoutId: ReturnType<typeof setTimeout> | null = null;
-        let dialogClosed = false;
-        let waitingDialog: IDialogInstance | null = null;
-        let expectedState: string | null = null;
-
-        try {
-          expectedState = new URL(authUrl).searchParams.get('state');
-        } catch {
-          expectedState = null;
-        }
-
-        const cleanupFn = {
-          cleanup: async () => {},
-        };
-
-        // Listen for callback with authorization code via IPC (PKCE flow)
-        const handleCallback = async (
-          _event: Electron.IpcRendererEvent,
-          data: {
-            code?: string;
-            state?: string;
-          },
-        ) => {
-          if (settled) {
-            return;
-          }
-          settled = true;
-          // Remove listener using desktopApi (for IPC events)
-          if (globalThis.desktopApi) {
-            globalThis.desktopApi.removeIpcEventListener(
-              OAUTH_CALLBACK_DESKTOP_CHANNEL,
-              handleCallback,
-            );
-          }
-
-          try {
-            dialogClosed = true;
-            await Promise.resolve(waitingDialog?.close());
-            const code = data.code;
-            const state = data.state;
-
-            if (!code) {
-              await cleanupFn.cleanup();
-              resolve({ success: false, session: undefined });
-              return;
-            }
-
-            // Validate state (anti-CSRF / anti-injection). This does not change the redirect URI.
-            // Supabase OAuth URLs should include `state=...` and the redirect callback should echo it back.
-            if (expectedState) {
-              if (!state) {
-                await cleanupFn.cleanup();
-                reject(new OneKeyLocalError('OAuth state is missing'));
-                return;
-              }
-              if (state !== expectedState) {
-                await cleanupFn.cleanup();
-                reject(new OneKeyLocalError('OAuth state mismatch'));
-                return;
-              }
-            }
-
-            // Exchange authorization code for session tokens using PKCE
-            // The Supabase client automatically uses the stored code_verifier
-            const { data: exchangeData, error } =
-              await client.auth.exchangeCodeForSession(code);
-
-            if (error) {
-              await cleanupFn.cleanup();
-              reject(new OneKeyLocalError(error.message));
-              return;
-            }
-
-            const session = exchangeData.session;
-            if (!session) {
-              await cleanupFn.cleanup();
-              resolve({ success: false, session: undefined });
-              return;
-            }
-
-            const accessToken = session.access_token;
-            const refreshToken = session.refresh_token;
-
-            // Handle session persistence
-            await handleSessionPersistence({
-              accessToken,
-              refreshToken,
-              persistSession,
-            });
-
-            await cleanupFn.cleanup();
-            resolve({
-              success: true,
-              session: { accessToken, refreshToken },
-            });
-          } catch (error) {
-            await cleanupFn.cleanup();
-            reject(
-              new OneKeyLocalError(
-                error instanceof Error ? error.message : 'OAuth failed',
-              ),
-            );
-          }
-        };
-
-        cleanupFn.cleanup = async () => {
-          if (timeoutId) {
-            clearTimeout(timeoutId);
-            timeoutId = null;
-          }
-          if (globalThis.desktopApi) {
-            globalThis.desktopApi.removeIpcEventListener(
-              OAUTH_CALLBACK_DESKTOP_CHANNEL,
-              handleCallback,
-            );
-          }
-          try {
-            await globalThis.desktopApiProxy.oauthLocalServer.stopServer();
-          } catch {
-            // Ignore stop errors.
-          }
-          try {
-            if (!dialogClosed) {
-              await Promise.resolve(waitingDialog?.close());
-            }
-          } catch {
-            // Ignore close errors.
-          }
-        };
-
-        // Show an in-app "waiting" dialog so users can cancel immediately.
-        // Note: When opening **external system browsers**, we cannot reliably detect
-        // whether the browser window/tab was closed. Cancel is the only reliable way.
-        waitingDialog = Dialog.show({
-          title: 'Sign in',
-          description:
-            'Complete sign-in in your browser, then return to OneKey.',
-          showFooter: true,
-          showConfirmButton: false,
-          showCancelButton: true,
-          onCancel: async (close) => {
-            if (settled) {
-              await close();
-              return;
-            }
-            settled = true;
-            dialogClosed = true;
-            await close();
-            await cleanupFn.cleanup();
-            reject(new OneKeyLocalError('OAuth sign-in was cancelled'));
-          },
-          onClose: async (extra) => {
-            // Treat manual dialog dismissal as cancel.
-            if (extra?.flag === 'cancel' && !settled) {
-              settled = true;
-              dialogClosed = true;
-              await cleanupFn.cleanup();
-              reject(new OneKeyLocalError('OAuth sign-in was cancelled'));
-            }
-          },
-        });
-
-        // Add listener using desktopApi (for IPC events)
-        if (globalThis.desktopApi) {
-          globalThis.desktopApi.addIpcEventListener(
-            OAUTH_CALLBACK_DESKTOP_CHANNEL,
-            handleCallback,
-          );
-        }
-
-        // Open Supabase OAuth in system browser
-        await globalThis.desktopApiProxy.oauthLocalServer.openBrowser(authUrl);
-
-        // Timeout after 5 minutes
-        timeoutId = setTimeout(() => {
-          if (settled) {
-            return;
-          }
-          settled = true;
-          void cleanupFn.cleanup().finally(() => {
-            reject(new OneKeyLocalError('OAuth sign-in timed out'));
-          });
-        }, OAUTH_FLOW_TIMEOUT_MS);
-      } catch (error) {
-        Dialog.debugMessage({
-          title: 'OAuth',
-          debugMessage:
-            error instanceof Error ? error.message : 'OAuth setup failed',
-        });
-        reject(
-          new OneKeyLocalError(
-            error instanceof Error ? error.message : 'OAuth setup failed',
-          ),
-        );
-      }
-    })();
-  });
-}
diff --git a/packages/kit/src/components/OneKeyAuth/openOAuthPopupExt.tsx b/packages/kit/src/components/OneKeyAuth/openOAuthPopupExt.tsx
deleted file mode 100644
index 5e85213809cb..000000000000
--- a/packages/kit/src/components/OneKeyAuth/openOAuthPopupExt.tsx
+++ /dev/null
@@ -1,797 +0,0 @@
-/* eslint-disable spellcheck/spell-checker */
-import {
-  EExtensionOAuthMethod,
-  EXTENSION_OAUTH_USE_PKCE_FLOW,
-  GOOGLE_OAUTH_AUTHORIZE_URL,
-  GOOGLE_OAUTH_DEFAULT_SCOPES,
-  GOOGLE_OAUTH_TOKENINFO_URL,
-  GOOGLE_OAUTH_USERINFO_URL,
-  OAUTH_FLOW_TIMEOUT_MS,
-  OAUTH_POLL_INTERVAL_MS,
-  OAUTH_POPUP_HEIGHT,
-  OAUTH_POPUP_WIDTH,
-  OAUTH_TOKEN_KEY_ACCESS_TOKEN,
-  OAUTH_TOKEN_KEY_ID_TOKEN,
-  OAUTH_TOKEN_KEY_REFRESH_TOKEN,
-} from '@onekeyhq/shared/src/consts/authConsts';
-import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
-
-import type {
-  IExtensionOAuthConfig,
-  IHandleOAuthSessionPersistenceParams,
-  IOAuthPopupResult,
-} from './openOAuthPopupTypes';
-import type { SupabaseClient } from '@supabase/supabase-js';
-
-// ============================================================================
-// Extension OAuth Methods
-// ============================================================================
-
-/**
- * Get OAuth redirect URL for Chrome Extension
- *
- * Returns different URLs based on the OAuth method:
- * - CHROME_IDENTITY_API: undefined (handled internally by openOAuthPopupExtIdentity)
- * - CHROME_GET_AUTH_TOKEN: undefined (Chrome handles internally)
- * - DIRECT_EXTENSION_SCHEME: chrome-extension://<extension-id>/ui-oauth-callback.html
- *
- * @param method - The extension OAuth method to use
- * @returns The redirect URL for extension OAuth, or undefined if not needed
- */
-export function getOAuthRedirectUrlExt(
-  method: EExtensionOAuthMethod,
-): string | undefined {
-  if (
-    method === EExtensionOAuthMethod.CHROME_IDENTITY_API ||
-    method === EExtensionOAuthMethod.CHROME_GET_AUTH_TOKEN
-  ) {
-    // These methods handle redirect URL internally, not needed externally
-    return undefined;
-  }
-  // Use direct chrome-extension:// scheme
-  // Format: chrome-extension://<extension-id>/ui-oauth-callback.html
-  return chrome.runtime.getURL('ui-oauth-callback.html');
-}
-
-/**
- * OAuth configuration for Google sign-in
- * These values should match your Google Cloud Console OAuth 2.0 Client ID settings
- */
-/**
- * OAuth helper for Chrome Extension using getChromeApi().identity.launchWebAuthFlow
- * with Google ID Token + Supabase signInWithIdToken
- *
- * This is the RECOMMENDED method for extension OAuth based on Supabase documentation.
- *
- * How it works:
- * 1. Manually builds Google OAuth URL with response_type=id_token
- * 2. Opens a popup window for OAuth using getChromeApi().identity.launchWebAuthFlow
- * 3. Chrome handles the OAuth flow and redirect automatically
- * 4. Extracts id_token from callback URL hash
- * 5. Uses Supabase signInWithIdToken to exchange for session
- *
- * Supabase Configuration Required:
- * - Add Chrome Extension Client ID to Supabase Dashboard > Authentication > Providers > Google
- * - If you have multiple client IDs, concatenate them with comma (web ID first)
- *
- * @param options - Configuration options
- * @param options.config - OAuth configuration including Google Client ID
- * @param options.handleSessionPersistence - Function to handle session persistence
- * @param options.persistSession - Whether to persist the session
- * @returns Promise with success status and session tokens
- */
-export async function openOAuthPopupExtIdentity(options: {
-  client: SupabaseClient;
-  config: IExtensionOAuthConfig;
-  handleSessionPersistence: (
-    params: IHandleOAuthSessionPersistenceParams,
-  ) => Promise<void>;
-  persistSession?: boolean;
-}): Promise<IOAuthPopupResult> {
-  const { client, config, handleSessionPersistence, persistSession } = options;
-  const { googleClientId, scopes = GOOGLE_OAUTH_DEFAULT_SCOPES } = config;
-
-  if (!chrome.identity) {
-    throw new OneKeyLocalError(
-      'chrome.identity API is not available. ' +
-        'Make sure you are running in a Chrome Extension context (not content script) ' +
-        'and the "identity" permission is added to manifest.json. ' +
-        'Try rebuilding the extension and reloading it in chrome://extensions.',
-    );
-  }
-
-  const getRedirectUrl = (): string => {
-    // https://<extension-id>.chromiumapp.org/
-    let redirectUrl = chrome.identity.getRedirectURL();
-    // Remove trailing slash to match Google Cloud Console configuration (and existing behavior).
-    if (redirectUrl.endsWith('/')) {
-      redirectUrl = redirectUrl.slice(0, -1);
-    }
-    return redirectUrl;
-  };
-
-  type IExtensionOAuthFlowParams = { redirectUrl: string };
-  type IExtensionOAuthFlowSignInParams = {
-    rawNonce?: string;
-    expectedState?: string;
-  };
-  type IExtensionOAuthFlowGetAuthUrlResult = {
-    authUrl: string;
-    signInParams: IExtensionOAuthFlowSignInParams;
-  };
-  type IExtensionOAuthFlowSignInInput = {
-    callbackUrl: string;
-    signInParams: IExtensionOAuthFlowSignInParams;
-  };
-  type IExtensionOAuthFlowBuilder = (params: IExtensionOAuthFlowParams) => {
-    getAuthUrl: () => Promise<IExtensionOAuthFlowGetAuthUrlResult>;
-    signIn: (
-      input: IExtensionOAuthFlowSignInInput,
-    ) => Promise<IOAuthPopupResult>;
-  };
-
-  const launchWebAuthFlowWithTimeout = async (url: string) => {
-    let timeoutId: ReturnType<typeof setTimeout> | null = null;
-    try {
-      return await Promise.race([
-        chrome.identity.launchWebAuthFlow({
-          url,
-          interactive: true,
-        }),
-        new Promise<never>((_, reject) => {
-          timeoutId = setTimeout(() => {
-            reject(new OneKeyLocalError('OAuth sign-in timed out'));
-          }, OAUTH_FLOW_TIMEOUT_MS);
-        }),
-      ]);
-    } finally {
-      if (timeoutId) {
-        clearTimeout(timeoutId);
-        timeoutId = null;
-      }
-    }
-  };
-
-  const buildPkceFlowParams = ({ redirectUrl }: IExtensionOAuthFlowParams) => ({
-    getAuthUrl: async () => {
-      const oauthUrlResult = await client.auth.signInWithOAuth({
-        provider: 'google',
-        options: {
-          skipBrowserRedirect: true,
-          redirectTo: redirectUrl,
-          queryParams: {
-            prompt: 'select_account',
-          },
-        },
-      });
-
-      if (oauthUrlResult.error) {
-        throw new OneKeyLocalError(oauthUrlResult.error.message);
-      }
-      const authUrl = oauthUrlResult.data?.url;
-      if (!authUrl) {
-        throw new OneKeyLocalError('Failed to create Supabase OAuth URL.');
-      }
-      let expectedState: string | undefined;
-      try {
-        expectedState = new URL(authUrl).searchParams.get('state') ?? undefined;
-      } catch {
-        expectedState = undefined;
-      }
-      return {
-        authUrl,
-        signInParams: { expectedState },
-      };
-    },
-    signIn: async ({
-      callbackUrl,
-      signInParams,
-    }: IExtensionOAuthFlowSignInInput) => {
-      // https://<extension-id>.chromiumapp.org/?code=xxxx
-      const url = new URL(callbackUrl);
-      if (!callbackUrl.startsWith(redirectUrl)) {
-        throw new OneKeyLocalError('Invalid OAuth redirect URL');
-      }
-      const error =
-        url.searchParams.get('error') ||
-        url.searchParams.get('error_description');
-      if (error) {
-        throw new OneKeyLocalError(error);
-      }
-
-      const code = url.searchParams.get('code');
-      const state = url.searchParams.get('state');
-      if (signInParams.expectedState) {
-        if (!state) {
-          throw new OneKeyLocalError('OAuth state is missing');
-        }
-        if (state !== signInParams.expectedState) {
-          throw new OneKeyLocalError('OAuth state mismatch');
-        }
-      }
-      if (!code) {
-        return {
-          success: false,
-          session: undefined,
-        };
-      }
-
-      const { data, error: exchangeError } =
-        await client.auth.exchangeCodeForSession(code);
-      if (exchangeError) {
-        throw new OneKeyLocalError(exchangeError.message);
-      }
-
-      if (!data.session) {
-        return {
-          success: false,
-          session: undefined,
-        };
-      }
-
-      const accessToken = data.session.access_token;
-      const refreshToken = data.session.refresh_token;
-
-      await handleSessionPersistence({
-        accessToken,
-        refreshToken,
-        persistSession,
-      });
-
-      return {
-        success: true,
-        session: {
-          accessToken,
-          refreshToken,
-        },
-      };
-    },
-  });
-
-  const processFlow = async ({
-    redirectUrl,
-    buildFlowParams,
-  }: IExtensionOAuthFlowParams & {
-    buildFlowParams: IExtensionOAuthFlowBuilder;
-  }) => {
-    const { getAuthUrl, signIn } = buildFlowParams({ redirectUrl });
-    const { authUrl, signInParams } = await getAuthUrl();
-    const callbackUrl = await launchWebAuthFlowWithTimeout(authUrl);
-
-    if (!callbackUrl) {
-      return {
-        success: false,
-        session: undefined,
-      };
-    }
-
-    return signIn({ callbackUrl, signInParams });
-  };
-
-  const buildOidcFlowParams = ({ redirectUrl }: IExtensionOAuthFlowParams) => ({
-    getAuthUrl: async () => {
-      // Build Google OAuth URL manually with response_type=id_token
-      // This is the key difference from the standard OAuth flow
-      const authUrl = new URL(GOOGLE_OAUTH_AUTHORIZE_URL);
-
-      authUrl.searchParams.set('client_id', googleClientId);
-      authUrl.searchParams.set('response_type', 'id_token');
-      authUrl.searchParams.set('access_type', 'offline');
-      authUrl.searchParams.set('redirect_uri', redirectUrl);
-      authUrl.searchParams.set('scope', scopes.join(' '));
-      // Generate a random nonce for security
-      // Supabase requires: hash the nonce before sending to Google, but pass raw nonce to Supabase
-      const rawNonce = crypto.randomUUID();
-      // Hash the nonce using SHA-256 for Google OAuth
-      const encoder = new TextEncoder();
-      const nonceData = encoder.encode(rawNonce);
-      const hashBuffer = await crypto.subtle.digest('SHA-256', nonceData);
-      const hashArray = Array.from(new Uint8Array(hashBuffer));
-      const hashedNonce = hashArray
-        .map((b) => b.toString(16).padStart(2, '0'))
-        .join('');
-      // Pass hashed nonce to Google OAuth URL
-      authUrl.searchParams.set('nonce', hashedNonce);
-      // Force account selection
-      authUrl.searchParams.set('prompt', 'select_account');
-
-      return {
-        authUrl: authUrl.href,
-        signInParams: { rawNonce },
-      };
-    },
-    signIn: async ({
-      callbackUrl,
-      signInParams,
-    }: IExtensionOAuthFlowSignInInput) => {
-      const rawNonce = signInParams.rawNonce;
-      if (!rawNonce) {
-        throw new OneKeyLocalError('Missing nonce for Google OAuth sign-in.');
-      }
-      // Parse id_token from the callback URL hash
-      const url = new URL(callbackUrl);
-      const hashParams = new URLSearchParams(url.hash.substring(1));
-      const idToken = hashParams.get(OAUTH_TOKEN_KEY_ID_TOKEN);
-
-      if (!idToken) {
-        throw new OneKeyLocalError('No ID token received from Google OAuth');
-      }
-
-      // Exchange ID token for Supabase session using signInWithIdToken
-      // Pass raw nonce to Supabase (not hashed)
-      // Use a temporary client that doesn't persist sessions automatically
-      // This allows us to get the session data without persisting it automatically
-      const tempClient = client;
-      const { data, error } = await tempClient.auth.signInWithIdToken({
-        provider: 'google',
-        token: idToken,
-        nonce: rawNonce, // Pass raw nonce to Supabase
-      });
-
-      if (error) {
-        throw new OneKeyLocalError(error.message);
-      }
-
-      if (!data.session) {
-        return {
-          success: false,
-          session: undefined,
-        };
-      }
-
-      const accessToken = data.session.access_token;
-      const refreshToken = data.session.refresh_token;
-
-      // Handle session persistence (only if persistSession is true)
-      await handleSessionPersistence({
-        accessToken,
-        refreshToken,
-        persistSession,
-      });
-
-      return {
-        success: true,
-        session: {
-          accessToken,
-          refreshToken,
-        },
-      };
-    },
-  });
-
-  // Launch the OAuth flow
-  // Note: chrome.identity.launchWebAuthFlow doesn't support window size/position options
-  // Chrome controls the OAuth window and may not allow modifications
-  // We'll set up a listener to try updating the window when it's created
-  const width = OAUTH_POPUP_WIDTH;
-  const height = OAUTH_POPUP_HEIGHT;
-  const left = Math.round((globalThis.screen?.width || 1920) / 2 - width / 2);
-  const top = Math.round((globalThis.screen?.height || 1080) / 2 - height / 2);
-
-  // Set up a one-time listener to catch the OAuth window when it's created
-  // Declare outside try block so it can be cleaned up in catch
-  let windowUpdateListener: ((window: chrome.windows.Window) => void) | null =
-    null;
-  let focusInterval: ReturnType<typeof setInterval> | null = null;
-  let oauthWindowId: number | null = null;
-
-  windowUpdateListener = (window: chrome.windows.Window) => {
-    if (window.type === 'popup' && window.id) {
-      oauthWindowId = window.id;
-      // Try to update window size and position
-      // Note: Chrome may ignore these updates for OAuth windows
-      chrome.windows
-        .update(window.id, {
-          width,
-          height,
-          left,
-          top,
-          focused: true, // Try to bring window to front
-        })
-        .catch(() => {
-          // Ignore errors - Chrome may not allow updating OAuth windows
-        });
-
-      // Set up a polling interval to periodically focus the OAuth window
-      // Similar to web OAuth popup behavior (openOAuthPopupWeb.tsx)
-      // This ensures the OAuth window stays in front during the authentication flow
-      focusInterval = setInterval(() => {
-        if (oauthWindowId !== null) {
-          chrome.windows.update(oauthWindowId, { focused: true }).catch(() => {
-            // Ignore errors - window may be closed or Chrome may not allow focusing
-          });
-        }
-      }, OAUTH_POLL_INTERVAL_MS); // Same cadence as web implementation
-
-      // Remove listener after first window is found
-      if (windowUpdateListener) {
-        chrome.windows.onCreated.removeListener(windowUpdateListener);
-      }
-    }
-  };
-
-  chrome.windows.onCreated.addListener(windowUpdateListener);
-
-  const cleanup = () => {
-    if (windowUpdateListener) {
-      chrome.windows.onCreated.removeListener(windowUpdateListener);
-    }
-    if (focusInterval !== null) {
-      clearInterval(focusInterval);
-      focusInterval = null;
-    }
-  };
-
-  const redirectUrl = getRedirectUrl();
-
-  try {
-    // --------------------------------------------------------------------------
-    // PKCE mode (Supabase OAuth URL + exchangeCodeForSession)
-    //
-    // Still uses:
-    // - chrome.identity.launchWebAuthFlow()
-    // so it matches the extension constraint and avoids relying on window.open().
-    //
-    // When true, use Supabase OAuth + PKCE code flow and exchange the returned code for a session.
-    // When false (default), use Google OIDC id_token + nonce and exchange via signInWithIdToken().
-    // --------------------------------------------------------------------------
-    if (EXTENSION_OAUTH_USE_PKCE_FLOW) {
-      return await processFlow({
-        redirectUrl,
-        buildFlowParams: buildPkceFlowParams,
-      });
-    }
-    return await processFlow({
-      redirectUrl,
-      buildFlowParams: buildOidcFlowParams,
-    });
-  } catch (error) {
-    // User closed the popup or other error
-    if (
-      error instanceof Error &&
-      error.message.includes('The user did not approve')
-    ) {
-      throw new OneKeyLocalError('OAuth sign-in was cancelled');
-    }
-    throw new OneKeyLocalError(
-      error instanceof Error ? error.message : 'Extension OAuth failed',
-    );
-  } finally {
-    try {
-      cleanup();
-    } catch {
-      // Ignore cleanup errors to avoid masking the original OAuth error.
-    }
-  }
-}
-
-/**
- * OAuth helper for Chrome Extension using getChromeApi().identity.getAuthToken
- *
- * This is an ALTERNATIVE method that uses Chrome's built-in OAuth via manifest oauth2 config.
- *
- * How it works:
- * 1. Uses getChromeApi().identity.getAuthToken to get Google Access Token (via manifest oauth2 config)
- * 2. Fetches user info from Google to get the ID Token
- * 3. Uses Supabase signInWithIdToken to exchange for session
- *
- * Prerequisites:
- * - manifest.json must have oauth2.client_id and oauth2.scopes configured
- * - Google Cloud Console: Create Chrome Extension type OAuth Client ID
- * - Supabase Dashboard: Add Chrome Extension Client ID to Google Provider
- *
- * manifest.json example:
- * {
- *   "oauth2": {
- *     "client_id": "YOUR_CHROME_CLIENT_ID.apps.googleusercontent.com",
- *     "scopes": ["openid", "email", "profile"]
- *   }
- * }
- *
- * @param options - Configuration options
- * @param options.handleSessionPersistence - Function to handle session persistence
- * @param options.persistSession - Whether to persist the session
- * @returns Promise with success status and session tokens
- */
-export async function openOAuthPopupExtIdToken(_options: {
-  handleSessionPersistence: (
-    params: IHandleOAuthSessionPersistenceParams,
-  ) => Promise<void>;
-  persistSession?: boolean;
-}): Promise<IOAuthPopupResult> {
-  if (!chrome.identity) {
-    throw new OneKeyLocalError(
-      'chrome.identity API is not available. ' +
-        'Make sure you are running in a Chrome Extension context (not content script) ' +
-        'and the "identity" permission is added to manifest.json. ' +
-        'Try rebuilding the extension and reloading it in chrome://extensions.',
-    );
-  }
-
-  try {
-    // Step 1: Get Google Access Token using chrome.identity.getAuthToken
-    // This requires oauth2 config in manifest.json
-    const authResult = await chrome.identity.getAuthToken({
-      interactive: true,
-    });
-
-    if (!authResult.token) {
-      throw new OneKeyLocalError('Failed to get Google auth token');
-    }
-
-    const googleAccessToken = authResult.token;
-
-    // Step 2: Fetch user info from Google to get the ID token
-    // We need to use the tokeninfo endpoint to get additional token details
-    const tokenInfoResponse = await fetch(
-      `${GOOGLE_OAUTH_TOKENINFO_URL}?${OAUTH_TOKEN_KEY_ACCESS_TOKEN}=${googleAccessToken}`,
-    );
-
-    if (!tokenInfoResponse.ok) {
-      throw new OneKeyLocalError('Failed to validate Google token');
-    }
-
-    // Step 3: Get the ID token by making an OAuth request
-    // Since getAuthToken doesn't directly return id_token, we need to use a different approach
-    // We'll use the access token to get user info and then exchange with Supabase
-    const userInfoResponse = await fetch(GOOGLE_OAUTH_USERINFO_URL, {
-      headers: {
-        Authorization: `Bearer ${googleAccessToken}`,
-      },
-    });
-
-    if (!userInfoResponse.ok) {
-      throw new OneKeyLocalError('Failed to get user info from Google');
-    }
-
-    const userInfo = (await userInfoResponse.json()) as {
-      sub: string;
-      email: string;
-      email_verified: boolean;
-      name: string;
-      picture: string;
-    };
-
-    // Note: getAuthToken doesn't provide id_token directly
-    // We need to use launchWebAuthFlow with response_type=id_token for proper ID token
-    // This method is kept as an alternative but openOAuthPopupExtIdentity is preferred
-
-    // For now, we'll throw an error indicating this method needs the manifest oauth2 config
-    // with proper setup to get id_token
-    throw new OneKeyLocalError(
-      'getAuthToken method requires id_token. Please use CHROME_IDENTITY_API method instead, ' +
-        `or configure manifest oauth2. User email: ${userInfo.email}`,
-    );
-
-    // Uncomment below if you have a way to get id_token from getAuthToken flow:
-    // const { data, error } = await supabaseClient.auth.signInWithIdToken({
-    //   provider: 'google',
-    //   token: idToken, // Need to get this from somewhere
-    //   access_token: googleAccessToken,
-    // });
-  } catch (error) {
-    if (
-      error instanceof Error &&
-      error.message.includes('The user did not approve')
-    ) {
-      throw new OneKeyLocalError('OAuth sign-in was cancelled');
-    }
-    throw new OneKeyLocalError(
-      error instanceof Error ? error.message : 'Extension OAuth failed',
-    );
-  }
-}
-
-/**
- * OAuth popup window helper for Chrome Extension platform
- *
- * ⚠️ WARNING: THIS METHOD DOES NOT WORK ⚠️
- *
- * This method attempts to use the direct chrome-extension:// scheme for OAuth callback,
- * but it FAILS because Chrome blocks external websites from redirecting to chrome-extension:// URLs.
- *
- * Error: ERR_BLOCKED_BY_CLIENT
- * Reason: Chrome security restriction prevents web pages from redirecting to extension URLs
- *         to protect users from malicious websites triggering extension actions.
- *
- * OAuth flow that fails:
- *   Google/Apple OAuth → Supabase → chrome-extension://xxx/ui-oauth-callback.html
- *                                   ↑ Chrome blocks this redirect
- *
- * RECOMMENDED: Use CHROME_IDENTITY_API method instead (openOAuthPopupExtIdentity)
- * - Uses getChromeApi().identity.launchWebAuthFlow API
- * - Redirect URL: https://<extension-id>.chromiumapp.org/auth/callback
- * - Chrome specially handles .chromiumapp.org URLs for extension OAuth
- *
- * This code is kept for reference but should NOT be used.
- *
- * ---
- * Original design (non-functional):
- * Uses getChromeApi().windows.create to open a popup window for OAuth authentication.
- * Monitors tab URL changes to detect the OAuth callback and extract tokens.
- *
- * This method uses the direct chrome-extension:// scheme:
- * - Opens a popup window for OAuth
- * - Monitors URL changes via getChromeApi().tabs.onUpdated
- * - Extracts tokens when URL matches chrome-extension://<id>/ui-oauth-callback.html
- *
- * Supabase Redirect URL to add:
- *   chrome-extension://<extension-id>/ui-oauth-callback.html
- *
- * @param options - Configuration options
- * @param options.authUrl - The OAuth authorization URL to open
- * @param options.handleSessionPersistence - Function to handle session persistence
- * @param options.persistSession - Whether to persist the session
- * @returns Promise with success status and session tokens
- * @deprecated Use openOAuthPopupExtIdentity instead - this method does not work due to Chrome security restrictions
- */
-export function openOAuthPopupExtWindow(options: {
-  authUrl: string;
-  handleSessionPersistence: (
-    params: IHandleOAuthSessionPersistenceParams,
-  ) => Promise<void>;
-  persistSession?: boolean;
-}): Promise<IOAuthPopupResult> {
-  const { authUrl, handleSessionPersistence, persistSession } = options;
-
-  return new Promise((resolve, reject) => {
-    // Popup window dimensions (same as web OAuth popup)
-    const width = OAUTH_POPUP_WIDTH;
-    const height = OAUTH_POPUP_HEIGHT;
-    let windowId: number | undefined;
-    let resolved = false;
-
-    // Helper to close window safely
-    const closeWindow = () => {
-      if (windowId !== undefined) {
-        try {
-          void chrome.windows.remove(windowId);
-        } catch {
-          // Window may already be closed
-        }
-      }
-    };
-
-    // Store listener references for cleanup
-    const listeners = {
-      onTabUpdated: null as
-        | ((
-            tabId: number,
-            changeInfo: chrome.tabs.TabChangeInfo,
-            tab: chrome.tabs.Tab,
-          ) => void)
-        | null,
-      onWindowRemoved: null as ((removedWindowId: number) => void) | null,
-    };
-
-    // Helper to remove all listeners
-    const cleanup = () => {
-      if (listeners.onTabUpdated) {
-        chrome.tabs.onUpdated.removeListener(listeners.onTabUpdated);
-      }
-      if (listeners.onWindowRemoved) {
-        chrome.windows.onRemoved.removeListener(listeners.onWindowRemoved);
-      }
-    };
-
-    // Listen for window close (user cancelled)
-    listeners.onWindowRemoved = (removedWindowId: number) => {
-      if (removedWindowId === windowId && !resolved) {
-        resolved = true;
-        cleanup();
-        reject(new OneKeyLocalError('OAuth sign-in was cancelled'));
-      }
-    };
-
-    // Listen for tab URL changes to detect OAuth callback
-    listeners.onTabUpdated = (
-      _tabId: number,
-      changeInfo: chrome.tabs.TabChangeInfo,
-      tab: chrome.tabs.Tab,
-    ) => {
-      // Only process tabs in our OAuth window
-      if (tab.windowId !== windowId || resolved) {
-        return;
-      }
-
-      // Check multiple URL sources:
-      // - changeInfo.url: When URL changes during navigation
-      // - tab.url: Current tab URL
-      // - tab.pendingUrl: URL that the tab is navigating to (useful when navigation is blocked)
-      const tabUrl =
-        changeInfo.url ||
-        tab.url ||
-        (tab as chrome.tabs.Tab & { pendingUrl?: string }).pendingUrl;
-      if (!tabUrl) {
-        return;
-      }
-
-      // Check if URL is our callback URL with tokens
-      if (
-        tabUrl.startsWith(
-          `chrome-extension://${chrome.runtime.id}/ui-oauth-callback.html`,
-        )
-      ) {
-        resolved = true;
-        cleanup();
-        closeWindow();
-
-        // Parse tokens from the URL
-        try {
-          const parsedUrl = new URL(tabUrl);
-          const hashParams = new URLSearchParams(
-            parsedUrl.hash.substring(1) || parsedUrl.search.substring(1),
-          );
-
-          const accessToken = hashParams.get(OAUTH_TOKEN_KEY_ACCESS_TOKEN);
-          const refreshToken = hashParams.get(OAUTH_TOKEN_KEY_REFRESH_TOKEN);
-
-          if (accessToken && refreshToken) {
-            void handleSessionPersistence({
-              accessToken,
-              refreshToken,
-              persistSession,
-            }).then(() => {
-              resolve({
-                success: true,
-                session: {
-                  accessToken,
-                  refreshToken,
-                },
-              });
-            });
-          } else {
-            resolve({
-              success: false,
-              session: undefined,
-            });
-          }
-        } catch (error) {
-          reject(
-            new OneKeyLocalError(
-              error instanceof Error
-                ? error.message
-                : 'Failed to process OAuth callback',
-            ),
-          );
-        }
-      }
-    };
-
-    // Add listeners before creating window
-    chrome.tabs.onUpdated.addListener(listeners.onTabUpdated);
-    chrome.windows.onRemoved.addListener(listeners.onWindowRemoved);
-
-    // Create popup window for OAuth
-    chrome.windows.create(
-      {
-        url: authUrl,
-        type: 'popup',
-        width,
-        height,
-        // Center the window on screen
-        left: Math.round((globalThis.screen?.width || 1920) / 2 - width / 2),
-        top: Math.round((globalThis.screen?.height || 1080) / 2 - height / 2),
-      },
-      (authWindow) => {
-        if (!authWindow?.id) {
-          cleanup();
-          reject(new OneKeyLocalError('Failed to create OAuth window'));
-          return;
-        }
-
-        windowId = authWindow.id;
-
-        // Set timeout
-        setTimeout(() => {
-          if (!resolved) {
-            resolved = true;
-            cleanup();
-            closeWindow();
-            reject(new OneKeyLocalError('OAuth sign-in timed out'));
-          }
-        }, OAUTH_FLOW_TIMEOUT_MS); // 5 minutes timeout
-      },
-    );
-  });
-}
diff --git a/packages/kit/src/components/OneKeyAuth/openOAuthPopupNative.tsx b/packages/kit/src/components/OneKeyAuth/openOAuthPopupNative.tsx
deleted file mode 100644
index 66d61612f5f1..000000000000
--- a/packages/kit/src/components/OneKeyAuth/openOAuthPopupNative.tsx
+++ /dev/null
@@ -1,94 +0,0 @@
-import * as WebBrowser from 'expo-web-browser';
-
-import {
-  OAUTH_TOKEN_KEY_ACCESS_TOKEN,
-  OAUTH_TOKEN_KEY_REFRESH_TOKEN,
-} from '@onekeyhq/shared/src/consts/authConsts';
-import { ONEKEY_APP_DEEP_LINK } from '@onekeyhq/shared/src/consts/deeplinkConsts';
-import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
-
-import type {
-  IHandleOAuthSessionPersistenceParams,
-  IOAuthPopupResult,
-} from './openOAuthPopupTypes';
-
-/**
- * Get OAuth redirect URL for native platforms (iOS/Android)
- *
- * Uses the deep link scheme: onekey-wallet://auth/callback
- *
- * @returns The redirect URL for native OAuth
- */
-export function getOAuthRedirectUrlNative(): string {
-  return `${ONEKEY_APP_DEEP_LINK}auth/callback`;
-}
-
-/**
- * OAuth helper for native platforms (iOS/Android)
- *
- * Uses expo-web-browser to open an in-app browser for OAuth authentication.
- * The browser will redirect to the deep link callback URL when complete.
- *
- * @param options - Configuration options
- * @param options.authUrl - The OAuth authorization URL to open
- * @param options.redirectTo - The redirect URL for OAuth callback
- * @param options.handleSessionPersistence - Function to handle session persistence
- * @param options.persistSession - Whether to persist the session
- * @returns Promise with success status and session tokens
- */
-export async function openOAuthPopupNative(options: {
-  authUrl: string;
-  redirectTo: string | undefined;
-  handleSessionPersistence: (
-    params: IHandleOAuthSessionPersistenceParams,
-  ) => Promise<void>;
-  persistSession?: boolean;
-}): Promise<IOAuthPopupResult> {
-  const { authUrl, redirectTo, handleSessionPersistence, persistSession } =
-    options;
-
-  // Use expo-web-browser for native platforms
-  // eslint-disable-next-line spellcheck/spell-checker
-  const browserResult = await WebBrowser.openAuthSessionAsync(
-    authUrl,
-    redirectTo,
-    {
-      // eslint-disable-next-line spellcheck/spell-checker
-      showInRecents: true,
-      preferEphemeralSession: false,
-    },
-  );
-
-  if (browserResult.type === 'success' && browserResult.url) {
-    // Extract tokens from the callback URL
-    const url = new URL(browserResult.url);
-    const hashParams = new URLSearchParams(
-      url.hash.substring(1) || url.search.substring(1),
-    );
-
-    const accessToken = hashParams.get(OAUTH_TOKEN_KEY_ACCESS_TOKEN);
-    const refreshToken = hashParams.get(OAUTH_TOKEN_KEY_REFRESH_TOKEN);
-
-    if (accessToken && refreshToken) {
-      await handleSessionPersistence({
-        accessToken,
-        refreshToken,
-        persistSession,
-      });
-
-      return {
-        success: true,
-        session: {
-          accessToken,
-          refreshToken,
-        },
-      };
-    }
-  }
-
-  if (browserResult.type === 'cancel') {
-    throw new OneKeyLocalError('OAuth sign-in was cancelled');
-  }
-
-  throw new OneKeyLocalError('OAuth sign-in failed');
-}
diff --git a/packages/kit/src/components/OneKeyAuth/openOAuthPopupTypes.tsx b/packages/kit/src/components/OneKeyAuth/openOAuthPopupTypes.tsx
deleted file mode 100644
index 52de4d202a59..000000000000
--- a/packages/kit/src/components/OneKeyAuth/openOAuthPopupTypes.tsx
+++ /dev/null
@@ -1,34 +0,0 @@
-export type IHandleOAuthSessionPersistenceParams = {
-  accessToken: string;
-  refreshToken: string;
-  persistSession?: boolean;
-  // Whether to also login to Prime service (default: true)
-  loginToPrime?: boolean;
-};
-
-export type IOAuthPopupResult = {
-  success: boolean;
-  session?: {
-    accessToken: string;
-    refreshToken: string;
-  };
-};
-
-export type IOpenOAuthPopupOptions = {
-  // Whether to persist the session to storage
-  // When false (default): Only return tokens, don't call setSession
-  persistSession?: boolean;
-};
-
-/**
- * OAuth configuration for Google sign-in (extension).
- * These values should match your Google Cloud Console OAuth 2.0 Client ID settings.
- */
-export interface IExtensionOAuthConfig {
-  // Google OAuth Client ID for Chrome Extension
-  // Create this in Google Cloud Console > APIs & Services > Credentials > OAuth 2.0 Client IDs
-  // Application type: Chrome Extension
-  googleClientId: string;
-  // OAuth scopes to request
-  scopes?: string[];
-}
diff --git a/packages/kit/src/components/OneKeyAuth/openOAuthPopupWeb.tsx b/packages/kit/src/components/OneKeyAuth/openOAuthPopupWeb.tsx
deleted file mode 100644
index 7a34636a34ad..000000000000
--- a/packages/kit/src/components/OneKeyAuth/openOAuthPopupWeb.tsx
+++ /dev/null
@@ -1,291 +0,0 @@
-import {
-  OAUTH_FLOW_TIMEOUT_MS,
-  OAUTH_POLL_INTERVAL_MS,
-  OAUTH_POPUP_HEIGHT,
-  OAUTH_POPUP_WIDTH,
-} from '@onekeyhq/shared/src/consts/authConsts';
-import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
-
-import type {
-  IHandleOAuthSessionPersistenceParams,
-  IOAuthPopupResult,
-} from './openOAuthPopupTypes';
-import type { SupabaseClient } from '@supabase/supabase-js';
-
-/**
- * Get OAuth redirect URL for web platform
- *
- * Uses the current origin with /auth/callback path
- * Example: https://app.onekey.so/auth/callback
- *
- * @returns The redirect URL for web OAuth
- */
-export function getOAuthRedirectUrlWeb(): string {
-  return `${globalThis.location?.origin || ''}/auth/callback`;
-}
-
-// Focus the popup window to bring it to front, with error handling
-function focusPopup(win: Window | null) {
-  try {
-    win?.focus();
-  } catch (e) {
-    // Focusing may fail (e.g., popup not allowed or browser restrictions)
-    // We silently ignore the error as it does not affect auth flow
-  }
-}
-
-// Close the popup window safely, with error handling
-function closePopup(win: Window | null) {
-  try {
-    win?.close();
-  } catch (e) {
-    // Closing may fail (e.g., popup already closed or browser restrictions)
-    // We silently ignore the error as the popup is either already closed or inaccessible
-  }
-}
-
-/**
- * OAuth popup window helper for web platform
- *
- * Opens a popup window for OAuth authentication and monitors for the callback URL.
- * Extracts tokens from the URL when authentication is complete.
- *
- * @param options - Configuration options
- * @param options.authUrl - The OAuth authorization URL to open
- * @param options.client - Supabase client instance
- * @param options.handleSessionPersistence - Function to handle session persistence
- * @param options.persistSession - Whether to persist the session (default: false)
- * @returns Promise with success status and session tokens
- */
-export async function openOAuthPopupWeb(options: {
-  authUrl: string;
-  client: SupabaseClient;
-  handleSessionPersistence: (
-    params: IHandleOAuthSessionPersistenceParams,
-  ) => Promise<void>;
-  persistSession?: boolean;
-}): Promise<IOAuthPopupResult> {
-  const { authUrl, client, handleSessionPersistence, persistSession } = options;
-  return new Promise((resolve, reject) => {
-    let settled = false;
-    let inFlight = false;
-    let pollIntervalId: ReturnType<typeof setInterval> | null = null;
-    let timeoutId: ReturnType<typeof setTimeout> | null = null;
-    let expectedState: string | null = null;
-
-    try {
-      expectedState = new URL(authUrl).searchParams.get('state');
-    } catch {
-      expectedState = null;
-    }
-
-    const cleanup = (popup: Window | null) => {
-      if (pollIntervalId) {
-        clearInterval(pollIntervalId);
-        pollIntervalId = null;
-      }
-      if (timeoutId) {
-        clearTimeout(timeoutId);
-        timeoutId = null;
-      }
-      if (popup && !popup.closed) {
-        closePopup(popup);
-      }
-    };
-
-    const resolveOnce = (result: IOAuthPopupResult, popup: Window | null) => {
-      if (settled) {
-        return;
-      }
-      settled = true;
-      cleanup(popup);
-      resolve(result);
-    };
-
-    const rejectOnce = (error: unknown, popup: Window | null) => {
-      if (settled) {
-        return;
-      }
-      settled = true;
-      cleanup(popup);
-      reject(error);
-    };
-
-    // Calculate popup window position (centered)
-    const width = OAUTH_POPUP_WIDTH;
-    const height = OAUTH_POPUP_HEIGHT;
-    const left = globalThis.screenX + (globalThis.outerWidth - width) / 2;
-    const top = globalThis.screenY + (globalThis.outerHeight - height) / 2;
-
-    // Open popup window without address bar and toolbar
-    // Note: Web browsers don't allow forcing popups to stay on top (alwaysOnTop)
-    // for security reasons. We can only focus the popup when it opens.
-    const popup = globalThis.open(
-      authUrl,
-      'oauth_popup',
-      `width=${width},height=${height},left=${left},top=${top},menubar=no,toolbar=no,location=no,status=no,scrollbars=yes,resizable=yes`,
-    );
-
-    if (!popup) {
-      rejectOnce(
-        new OneKeyLocalError(
-          'Popup was blocked. Please allow popups and try again.',
-        ),
-        null,
-      );
-      return;
-    }
-
-    focusPopup(popup);
-
-    // Poll for popup close and check for auth code (PKCE flow)
-    pollIntervalId = setInterval(async () => {
-      if (inFlight) {
-        return;
-      }
-      inFlight = true;
-      try {
-        if (settled) {
-          return;
-        }
-        focusPopup(popup);
-        // Check if popup is closed
-        if (popup.closed) {
-          // Check if we got a session after popup closed
-          const { data } = await client.auth.getSession();
-          if (data.session) {
-            const accessToken = data.session.access_token;
-            const refreshToken = data.session.refresh_token;
-
-            await handleSessionPersistence({
-              accessToken,
-              refreshToken,
-              persistSession,
-              loginToPrime: false, // openOAuthPopupWeb doesn't handle Prime login
-            });
-
-            resolveOnce(
-              {
-                success: true,
-                session: {
-                  accessToken,
-                  refreshToken,
-                },
-              },
-              popup,
-            );
-          } else {
-            resolveOnce(
-              {
-                success: false,
-                session: undefined,
-              },
-              popup,
-            );
-          }
-          return;
-        }
-
-        // Try to read the popup URL to check for callback with authorization code
-        try {
-          const popupUrl = popup.location.href;
-          // PKCE flow: check for 'code' parameter in URL (not access_token)
-          if (popupUrl && popupUrl.includes('code=')) {
-            closePopup(popup);
-
-            // Parse authorization code from URL query string
-            const url = new URL(popupUrl);
-            const code = url.searchParams.get('code');
-            const state = url.searchParams.get('state');
-
-            // Validate state (anti-CSRF / anti-injection). Supabase OAuth URLs should include `state=...`
-            // and the redirect callback should echo it back.
-            if (expectedState) {
-              if (!state) {
-                rejectOnce(
-                  new OneKeyLocalError('OAuth state is missing'),
-                  popup,
-                );
-                return;
-              }
-              if (state !== expectedState) {
-                rejectOnce(new OneKeyLocalError('OAuth state mismatch'), popup);
-                return;
-              }
-            }
-
-            if (code) {
-              // Exchange authorization code for session tokens using PKCE
-              // The Supabase client automatically uses the stored code_verifier
-              const { data, error } = await client.auth.exchangeCodeForSession(
-                code,
-              );
-
-              if (error) {
-                rejectOnce(new OneKeyLocalError(error.message), popup);
-                return;
-              }
-
-              const session = data.session;
-              if (session) {
-                const accessToken = session.access_token;
-                const refreshToken = session.refresh_token;
-
-                await handleSessionPersistence({
-                  accessToken,
-                  refreshToken,
-                  persistSession,
-                  loginToPrime: false, // openOAuthPopupWeb doesn't handle Prime login
-                });
-
-                resolveOnce(
-                  {
-                    success: true,
-                    session: {
-                      accessToken,
-                      refreshToken,
-                    },
-                  },
-                  popup,
-                );
-              } else {
-                resolveOnce(
-                  {
-                    success: false,
-                    session: undefined,
-                  },
-                  popup,
-                );
-              }
-            } else {
-              resolveOnce(
-                {
-                  success: false,
-                  session: undefined,
-                },
-                popup,
-              );
-            }
-          }
-        } catch {
-          // Cross-origin error - popup is on different domain, continue polling
-        }
-      } catch (error) {
-        rejectOnce(error, popup);
-      } finally {
-        inFlight = false;
-      }
-    }, OAUTH_POLL_INTERVAL_MS);
-
-    // Cleanup after timeout (5 minutes)
-    timeoutId = setTimeout(() => {
-      resolveOnce(
-        {
-          success: false,
-          session: undefined,
-        },
-        popup,
-      );
-    }, OAUTH_FLOW_TIMEOUT_MS);
-  });
-}
diff --git a/packages/kit/src/components/OneKeyAuth/supabase/getSupabaseClient.ts b/packages/kit/src/components/OneKeyAuth/supabase/getSupabaseClient.ts
index 9b032f97587c..81004f0f3672 100644
--- a/packages/kit/src/components/OneKeyAuth/supabase/getSupabaseClient.ts
+++ b/packages/kit/src/components/OneKeyAuth/supabase/getSupabaseClient.ts
@@ -2,6 +2,8 @@
 import { createClient } from '@supabase/supabase-js';
 
 import {
+  KEYLESS_SUPABASE_PROJECT_URL,
+  KEYLESS_SUPABASE_PUBLIC_API_KEY,
   SUPABASE_PROJECT_URL,
   SUPABASE_PUBLIC_API_KEY,
 } from '@onekeyhq/shared/src/consts/authConsts';
@@ -43,8 +45,8 @@ export function getSupabaseClient() {
  */
 export function createTemporarySupabaseClient() {
   return createClient(
-    SUPABASE_PROJECT_URL ?? '',
-    SUPABASE_PUBLIC_API_KEY ?? '',
+    KEYLESS_SUPABASE_PROJECT_URL ?? '',
+    KEYLESS_SUPABASE_PUBLIC_API_KEY ?? '',
     {
       auth: {
         autoRefreshToken: false,
diff --git a/packages/kit/src/components/OneKeyAuth/supabase/useSupabaseAuth.tsx b/packages/kit/src/components/OneKeyAuth/supabase/useSupabaseAuth.tsx
index f7c7646d00fc..648a0af86111 100644
--- a/packages/kit/src/components/OneKeyAuth/supabase/useSupabaseAuth.tsx
+++ b/packages/kit/src/components/OneKeyAuth/supabase/useSupabaseAuth.tsx
@@ -3,38 +3,15 @@ import { useCallback, useMemo } from 'react';
 
 import { useIntl } from 'react-intl';
 
+import { Dialog } from '@onekeyhq/components';
 import backgroundApiProxy from '@onekeyhq/kit/src/background/instance/backgroundApiProxy';
-import {
-  DEFAULT_DESKTOP_OAUTH_METHOD,
-  DEFAULT_EXTENSION_OAUTH_METHOD,
-  EDesktopOAuthMethod,
-  EExtensionOAuthMethod,
-  GOOGLE_CHROME_EXTENSION_CLIENT_ID,
-} from '@onekeyhq/shared/src/consts/authConsts';
+import type { EOAuthSocialLoginProvider } from '@onekeyhq/shared/src/consts/authConsts';
 import { OneKeyLocalError } from '@onekeyhq/shared/src/errors';
+import errorToastUtils from '@onekeyhq/shared/src/errors/utils/errorToastUtils';
 import { ETranslations } from '@onekeyhq/shared/src/locale';
-import platformEnv from '@onekeyhq/shared/src/platformEnv';
 
-import {
-  getOAuthRedirectUrlDesktop,
-  openOAuthPopupDesktopDeepLink,
-  openOAuthPopupDesktopWebview,
-} from '../openOAuthPopupDesktop';
-import { openOAuthPopupDesktopLocalhost } from '../openOAuthPopupDesktopLocalhost';
-import {
-  getOAuthRedirectUrlExt,
-  openOAuthPopupExtIdToken,
-  openOAuthPopupExtIdentity,
-  openOAuthPopupExtWindow,
-} from '../openOAuthPopupExt';
-import {
-  getOAuthRedirectUrlNative,
-  openOAuthPopupNative,
-} from '../openOAuthPopupNative';
-import {
-  getOAuthRedirectUrlWeb,
-  openOAuthPopupWeb,
-} from '../openOAuthPopupWeb';
+import { OAuthPopup } from '../OAuthPopup';
+import { ensureOneKeyOAuthState } from '../oauthUtils';
 
 import {
   createTemporarySupabaseClient,
@@ -44,35 +21,20 @@ import { useSupabaseAuthContext } from './SupabaseAuthContext';
 
 import type { AuthResponse, SupabaseClient } from '@supabase/supabase-js';
 
-// Helper function to handle OAuth session persistence
-// This function is called after successfully extracting tokens from OAuth callback
-async function handleOAuthSessionPersistence({
-  accessToken,
-  refreshToken,
-  persistSession,
-  loginToPrime,
-}: {
-  accessToken: string;
-  refreshToken: string;
+export type IOAuthSignInResult = {
+  success: boolean;
+  session?: {
+    accessToken: string;
+    refreshToken: string;
+  };
+};
+
+export type IOAuthSignInOptions = {
+  // Whether to persist the session to storage and set it in Supabase client
+  // When false (default): Only return tokens in memory, don't call setSession
+  // When true: Call setSession to persist and enable auto-refresh
   persistSession?: boolean;
-  // Whether to also login to Prime service
-  loginToPrime?: boolean;
-}): Promise<void> {
-  if (persistSession) {
-    // Persist session to Supabase client storage
-    await getSupabaseClient().client.auth.setSession({
-      access_token: accessToken,
-      refresh_token: refreshToken,
-    });
-
-    // Login to Prime service
-    if (loginToPrime) {
-      await backgroundApiProxy.servicePrime.apiLogin({
-        accessToken,
-      });
-    }
-  }
-}
+};
 
 export function useSupabaseAuth() {
   const ctx = useSupabaseAuthContext();
@@ -87,68 +49,48 @@ export function useSupabaseAuth() {
 
   const performOAuthSignIn = useCallback(
     async (
-      provider: 'google' | 'apple',
-      options?: {
-        // Whether to persist the session to storage and set it in Supabase client
-        // When false (default): Only return tokens in memory, don't call setSession
-        // When true: Call setSession to persist and enable auto-refresh
-        persistSession?: boolean;
-      },
-    ): Promise<{
-      success: boolean;
-      session?: {
-        accessToken: string;
-        refreshToken: string;
-      };
-    }> => {
+      provider: EOAuthSocialLoginProvider,
+      options?: IOAuthSignInOptions,
+    ): Promise<IOAuthSignInResult> => {
       const { persistSession } = options ?? {};
       const clientTemp: SupabaseClient = createTemporarySupabaseClient();
 
-      // For extension with CHROME_IDENTITY_API or CHROME_GET_AUTH_TOKEN methods,
-      // we don't need Supabase OAuth URL - these methods build their own Google OAuth URL
-      // and use signInWithIdToken instead
-      if (platformEnv.isExtension) {
-        if (
-          DEFAULT_EXTENSION_OAUTH_METHOD ===
-          EExtensionOAuthMethod.CHROME_IDENTITY_API
-        ) {
-          // Use launchWebAuthFlow + signInWithIdToken (Supabase recommended)
-          // This method builds its own Google OAuth URL with response_type=id_token
-          return openOAuthPopupExtIdentity({
-            client: clientTemp,
-            config: { googleClientId: GOOGLE_CHROME_EXTENSION_CLIENT_ID },
-            handleSessionPersistence: handleOAuthSessionPersistence,
-            persistSession,
-          });
-        }
-        if (
-          DEFAULT_EXTENSION_OAUTH_METHOD ===
-          EExtensionOAuthMethod.CHROME_GET_AUTH_TOKEN
-        ) {
-          // Use getAuthToken (requires manifest oauth2 config)
-          // Chrome handles OAuth internally, no redirect URL needed
-          return openOAuthPopupExtIdToken({
-            handleSessionPersistence: handleOAuthSessionPersistence,
-            persistSession,
+      const handleOAuthSessionPersistence = async ({
+        accessToken,
+        refreshToken,
+      }: {
+        accessToken: string;
+        refreshToken: string;
+      }): Promise<void> => {
+        if (persistSession) {
+          // Persist session to Supabase client storage
+          await getSupabaseClient().client.auth.setSession({
+            access_token: accessToken,
+            refresh_token: refreshToken,
           });
+
+          // Login to Prime service
+          // if (loginToPrime) {
+          //   await backgroundApiProxy.servicePrime.apiLogin({
+          //     accessToken,
+          //   });
+          // }
         }
-      }
+      };
 
-      // For other platforms and DIRECT_EXTENSION_SCHEME, we need Supabase OAuth URL
-      // Build redirect URL based on platform
-      let redirectTo: string | undefined;
-      if (platformEnv.isNative) {
-        redirectTo = getOAuthRedirectUrlNative();
-      } else if (platformEnv.isDesktop) {
-        redirectTo = await getOAuthRedirectUrlDesktop(
-          DEFAULT_DESKTOP_OAUTH_METHOD,
-        );
-      } else if (platformEnv.isExtension) {
-        redirectTo = getOAuthRedirectUrlExt(DEFAULT_EXTENSION_OAUTH_METHOD);
-      } else {
-        redirectTo = getOAuthRedirectUrlWeb();
+      // Get platform-specific redirect URL
+      // Note: Some platforms return Promise<string> (e.g., desktop needs to start server)
+      let redirectTo: string | undefined = await Promise.resolve(
+        OAuthPopup.getRedirectUrl(),
+      );
+
+      // Defense-in-depth: Supabase PKCE URL may not include `state`. We embed our own
+      // nonce into redirectTo so the callback must carry it back to us.
+      if (redirectTo) {
+        redirectTo = ensureOneKeyOAuthState(redirectTo);
       }
 
+      // Get Supabase OAuth URL
       const oauthUrlResult = await clientTemp.auth.signInWithOAuth({
         provider,
         options: {
@@ -169,99 +111,58 @@ export function useSupabaseAuth() {
       }
 
       const authUrl = oauthUrlResult.data.url;
+
       if (!authUrl) {
         throw new OneKeyLocalError('Failed to get OAuth URL');
       }
-
-      // Open the OAuth URL based on platform
-      if (platformEnv.isNative) {
-        return openOAuthPopupNative({
-          authUrl,
-          redirectTo,
-          handleSessionPersistence: handleOAuthSessionPersistence,
-          persistSession,
-        });
-      }
-
-      // For desktop (Electron), handle OAuth based on configured method
-      if (platformEnv.isDesktop) {
-        if (
-          DEFAULT_DESKTOP_OAUTH_METHOD === EDesktopOAuthMethod.LOCALHOST_SERVER
-        ) {
-          return openOAuthPopupDesktopLocalhost({
-            authUrl,
-            client: clientTemp,
-            handleSessionPersistence: handleOAuthSessionPersistence,
-            persistSession,
-          });
+      /*
+        iOS: 
+        {
+            "authUrl": "https://wtspqckturkzhstyjabx.supabase.co/auth/v1/authorize?provider=apple&redirect_to=https%3A%2F%2Foauth-callback.onekey.so%2Foauth_callback_native%3Fonekey_oauth_state%3D3af5c82abbfb19da14a00f6035828bdf&code_challenge=xxxx&code_challenge_method=plain&prompt=select_account",
+            "provider": "apple",
+            "redirectTo": "https://oauth-callback.onekey.so/oauth_callback_native?onekey_oauth_state=3af5c82abbfb19da14a00f6035828bdf"
         }
-        if (DEFAULT_DESKTOP_OAUTH_METHOD === EDesktopOAuthMethod.WEBVIEW) {
-          return openOAuthPopupDesktopWebview({
-            authUrl,
-            handleSessionPersistence: handleOAuthSessionPersistence,
-            persistSession,
-          });
-        }
-        return openOAuthPopupDesktopDeepLink({
-          authUrl,
-          handleSessionPersistence: handleOAuthSessionPersistence,
-          persistSession,
-        });
-      }
-
-      // For extension with DIRECT_EXTENSION_SCHEME (does not work, kept for reference)
-      if (platformEnv.isExtension) {
-        return openOAuthPopupExtWindow({
-          authUrl,
-          handleSessionPersistence: handleOAuthSessionPersistence,
-          persistSession,
-        });
-      }
+        https://oauth-callback.onekey.so/oauth_callback_native?code=xxxx&onekey_oauth_state=3af5c82abbfb19da14a00f6035828bdf
 
-      // Open OAuth popup window for web
-      const popupResult = await openOAuthPopupWeb({
+        Desktop:
+        {
+            "authUrl": "https://wtspqckturkzhstyjabx.supabase.co/auth/v1/authorize?provider=apple&redirect_to=http%3A%2F%2F127.0.0.1%3A62416%2Foauth_callback_desktop%3Fonekey_oauth_state%3D2fd6480e3004ad6aef7d6a72dc37455b&code_challenge=xxxx&code_challenge_method=s256&prompt=select_account",
+            "provider": "apple",
+            "redirectTo": "http://127.0.0.1:62416/oauth_callback_desktop?onekey_oauth_state=2fd6480e3004ad6aef7d6a72dc37455b"
+        }
+        http://127.0.0.1:62416/oauth_callback_desktop?code=xxxx&onekey_oauth_state=2fd6480e3004ad6aef7d6a72dc37455b
+      */
+
+      // Dialog.debugMessage({
+      //   title: 'performOAuthSignIn',
+      //   debugMessage: {
+      //     provider,
+      //     redirectTo,
+      //     authUrl,
+      //   },
+      // });
+
+      // Open OAuth popup using platform-specific implementation
+      return OAuthPopup.open({
+        provider,
         authUrl,
+        redirectTo,
         client: clientTemp,
         handleSessionPersistence: handleOAuthSessionPersistence,
-        persistSession,
       });
-      return popupResult;
     },
     [],
   );
 
-  const signInWithGoogle = useCallback(
-    async (options?: {
-      // Whether to persist the session to storage (default: false)
-      persistSession?: boolean;
-    }): Promise<{
-      success: boolean;
-      session?: {
-        accessToken: string;
-        refreshToken: string;
-      };
-    }> => {
-      // Perform the OAuth flow
-      const oauthResult = await performOAuthSignIn('google', options);
-      return oauthResult;
-    },
-    [performOAuthSignIn],
-  );
-
-  const signInWithApple = useCallback(
-    async (options?: {
-      // Whether to persist the session to storage (default: false)
-      persistSession?: boolean;
-    }): Promise<{
-      success: boolean;
-      session?: {
-        accessToken: string;
-        refreshToken: string;
-      };
-    }> => {
-      // Perform the OAuth flow
-      const oauthResult = await performOAuthSignIn('apple', options);
-      return oauthResult;
+  const signInWithSocialLogin = useCallback(
+    async (
+      provider: EOAuthSocialLoginProvider,
+      options?: IOAuthSignInOptions,
+    ): Promise<IOAuthSignInResult> => {
+      return errorToastUtils.withErrorAutoToast(async () => {
+        const oauthResult = await performOAuthSignIn(provider, options);
+        return oauthResult;
+      });
     },
     [performOAuthSignIn],
   );
@@ -450,8 +351,7 @@ export function useSupabaseAuth() {
     () => ({
       signOut,
       signInWithOtp,
-      signInWithGoogle,
-      signInWithApple,
+      signInWithSocialLogin,
       performOAuthSignIn,
       verifyOtp,
       getSupabaseClient,
@@ -466,8 +366,7 @@ export function useSupabaseAuth() {
     [
       signOut,
       signInWithOtp,
-      signInWithGoogle,
-      signInWithApple,
+      signInWithSocialLogin,
       performOAuthSignIn,
       verifyOtp,
       getAccessToken,
diff --git a/packages/kit/src/components/OneKeyAuth/useOneKeyAuth.tsx b/packages/kit/src/components/OneKeyAuth/useOneKeyAuth.tsx
index eeaf79d36e10..7c020a4a83ed 100644
--- a/packages/kit/src/components/OneKeyAuth/useOneKeyAuth.tsx
+++ b/packages/kit/src/components/OneKeyAuth/useOneKeyAuth.tsx
@@ -47,6 +47,7 @@ export function useOneKeyAuthMethods() {
   const [user] = usePrimePersistAtom();
 
   const {
+    signInWithSocialLogin,
     signOut: supabaseSignOut,
     getAccessToken,
     isReady,
@@ -94,6 +95,7 @@ export function useOneKeyAuthMethods() {
       supabaseSignInWithOtp,
       supabaseVerifyOtp,
       supabaseSignOut,
+      signInWithSocialLogin,
     };
   }, [
     getAccessToken,
@@ -105,6 +107,7 @@ export function useOneKeyAuthMethods() {
     supabaseSignInWithOtp,
     supabaseVerifyOtp,
     supabaseSignOut,
+    signInWithSocialLogin,
   ]);
 }
 
diff --git a/packages/kit/src/components/Password/components/PasswordSetup.tsx b/packages/kit/src/components/Password/components/PasswordSetup.tsx
index 68d69c1abbcc..c7cd886cf099 100644
--- a/packages/kit/src/components/Password/components/PasswordSetup.tsx
+++ b/packages/kit/src/components/Password/components/PasswordSetup.tsx
@@ -42,6 +42,8 @@ interface IPasswordSetupProps {
   onSetupPassword: (data: IPasswordSetupForm) => void;
   biologyAuthSwitchContainer?: React.ReactNode;
   confirmBtnText?: string;
+  pageMode?: boolean;
+  onStepChange?: (step: 'create' | 'confirm') => void;
 }
 const useHandleEnterKey = platformEnv.isNative
   ? () => {}
@@ -70,6 +72,8 @@ const PasswordSetup = ({
   onSetupPassword,
   confirmBtnText,
   biologyAuthSwitchContainer,
+  pageMode,
+  onStepChange,
 }: IPasswordSetupProps) => {
   const intl = useIntl();
   const [currentPasswordMode, setCurrentPasswordMode] = useState(passwordMode);
@@ -106,10 +110,11 @@ const PasswordSetup = ({
   }, [confirmBtnText, intl, passCodeFirstStep]);
   const onPassCodeNext = useCallback(() => {
     setPassCodeConfirm(true);
+    onStepChange?.('confirm');
     setTimeout(() => {
       form.setFocus('confirmPassCode');
     }, 150);
-  }, [form]);
+  }, [form, onStepChange]);
 
   const clearPasscodeTimeOut = useCallback(() => {
     setPassCodeConfirmClear(false);
@@ -129,33 +134,29 @@ const PasswordSetup = ({
 
   return (
     <>
-      {currentPasswordMode === EPasswordMode.PASSCODE && passCodeConfirm ? (
+      {!pageMode ? (
         <Dialog.Header>
           <Dialog.Title>
             <Heading size="$headingXl" py="$px">
               {intl.formatMessage({
-                id: ETranslations.auth_confirm_passcode_form_label,
+                id:
+                  currentPasswordMode === EPasswordMode.PASSCODE &&
+                  passCodeConfirm
+                    ? ETranslations.auth_confirm_passcode_form_label
+                    : ETranslations.global_set_passcode,
               })}
             </Heading>
           </Dialog.Title>
         </Dialog.Header>
-      ) : (
-        <Dialog.Header>
-          <Dialog.Title>
-            <Heading size="$headingXl" py="$px">
-              {intl.formatMessage({
-                id: ETranslations.global_set_passcode,
-              })}
-            </Heading>
-          </Dialog.Title>
-        </Dialog.Header>
-      )}
+      ) : null}
       <Form form={form}>
         {currentPasswordMode === EPasswordMode.PASSWORD ? (
           <>
             <Form.Field
-              label={intl.formatMessage({
-                id: ETranslations.auth_new_passcode_form_label,
+              {...(!pageMode && {
+                label: intl.formatMessage({
+                  id: ETranslations.auth_new_passcode_form_label,
+                }),
               })}
               name="password"
               rules={{
@@ -200,9 +201,11 @@ const PasswordSetup = ({
             >
               <Input
                 size="large"
-                $gtMd={{
-                  size: 'medium',
-                }}
+                {...(!pageMode && {
+                  $gtMd: {
+                    size: 'medium',
+                  },
+                })}
                 placeholder={intl.formatMessage({
                   id: ETranslations.auth_new_passcode_form_placeholder,
                 })}
@@ -225,8 +228,10 @@ const PasswordSetup = ({
               />
             </Form.Field>
             <Form.Field
-              label={intl.formatMessage({
-                id: ETranslations.auth_confirm_passcode_form_label,
+              {...(!pageMode && {
+                label: intl.formatMessage({
+                  id: ETranslations.auth_confirm_passcode_form_label,
+                }),
               })}
               name="confirmPassword"
               rules={{
@@ -250,9 +255,11 @@ const PasswordSetup = ({
             >
               <Input
                 size="large"
-                $gtMd={{
-                  size: 'medium',
-                }}
+                {...(!pageMode && {
+                  $gtMd: {
+                    size: 'medium',
+                  },
+                })}
                 placeholder={intl.formatMessage({
                   id: ETranslations.auth_confirm_passcode_form_placeholder,
                 })}
@@ -373,11 +380,11 @@ const PasswordSetup = ({
         {currentPasswordMode === EPasswordMode.PASSWORD ? (
           <Button
             size="large"
-            $gtMd={
-              {
+            {...(!pageMode && {
+              $gtMd: {
                 size: 'medium',
-              } as any
-            }
+              } as any,
+            })}
             variant="primary"
             loading={loading}
             onPress={handleSubmit}
diff --git a/packages/kit/src/components/Password/components/PasswordVerify.tsx b/packages/kit/src/components/Password/components/PasswordVerify.tsx
index 24191aa38ab3..6d6cae77817e 100644
--- a/packages/kit/src/components/Password/components/PasswordVerify.tsx
+++ b/packages/kit/src/components/Password/components/PasswordVerify.tsx
@@ -57,6 +57,7 @@ interface IPasswordVerifyProps {
   };
   alertText?: string;
   confirmBtnDisabled?: boolean;
+  pageMode?: boolean;
 }
 
 export interface IPasswordVerifyForm {
@@ -65,6 +66,7 @@ export interface IPasswordVerifyForm {
 }
 
 function PasswordVerify({
+  pageMode,
   isEnable,
   alertText,
   confirmBtnDisabled,
@@ -346,6 +348,9 @@ function PasswordVerify({
                 form.setValue('passCode', pin);
                 form.clearErrors('passCode');
                 setPassCodeClear(false);
+                if (pageMode) {
+                  onPasswordChange(pin);
+                }
               }}
               editable={Boolean(
                 status.value !== EPasswordVerifyStatus.VERIFYING &&
diff --git a/packages/kit/src/components/Password/container/PasswordSetupContainer.tsx b/packages/kit/src/components/Password/container/PasswordSetupContainer.tsx
index 1badf50fc43e..a6a1dbcbccd7 100644
--- a/packages/kit/src/components/Password/container/PasswordSetupContainer.tsx
+++ b/packages/kit/src/components/Password/container/PasswordSetupContainer.tsx
@@ -30,7 +30,8 @@ import PasswordSetup from '../components/PasswordSetup';
 import type { IPasswordSetupForm } from '../components/PasswordSetup';
 
 interface IPasswordSetupProps {
-  onSetupRes: (password: string) => void;
+  onSetupRes: (password: string) => void | Promise<void>;
+  pageMode?: boolean;
 }
 
 interface IBiologyAuthContainerProps {
@@ -74,7 +75,10 @@ const BiologyAuthContainer = ({
   ) : null;
 };
 
-const PasswordSetupContainer = ({ onSetupRes }: IPasswordSetupProps) => {
+const PasswordSetupContainer = ({
+  onSetupRes,
+  pageMode,
+}: IPasswordSetupProps) => {
   const intl = useIntl();
   const [loading, setLoading] = useState(false);
   const [{ isSupport }] = usePasswordWebAuthInfoAtom();
@@ -105,9 +109,15 @@ const PasswordSetupContainer = ({ onSetupRes }: IPasswordSetupProps) => {
         Toast.success({
           title: intl.formatMessage({ id: ETranslations.auth_passcode_set }),
         });
-        setTimeout(() => {
-          onSetupRes(setUpPasswordRes);
-        });
+
+        if (pageMode) {
+          await onSetupRes(setUpPasswordRes);
+        } else {
+          setTimeout(() => {
+            void onSetupRes(setUpPasswordRes);
+          });
+        }
+
         // Dialog.show({
         //   title: intl.formatMessage({
         //     id: ETranslations.auth_Passcode_protection,
@@ -161,11 +171,19 @@ const PasswordSetupContainer = ({ onSetupRes }: IPasswordSetupProps) => {
         setLoading(false);
       }
     },
-    [intl, isBiologyAuthSwitchOn, isSupport, onSetupRes, setWebAuthEnable],
+    [
+      intl,
+      isBiologyAuthSwitchOn,
+      isSupport,
+      onSetupRes,
+      pageMode,
+      setWebAuthEnable,
+    ],
   );
 
   return (
     <PasswordSetup
+      pageMode={pageMode}
       loading={loading}
       passwordMode={passwordMode}
       onSetupPassword={onSetupPassword}
diff --git a/packages/kit/src/components/Password/container/PasswordVerifyContainer.tsx b/packages/kit/src/components/Password/container/PasswordVerifyContainer.tsx
index cce5b417917a..5182c6ac7703 100644
--- a/packages/kit/src/components/Password/container/PasswordVerifyContainer.tsx
+++ b/packages/kit/src/components/Password/container/PasswordVerifyContainer.tsx
@@ -42,14 +42,16 @@ import type { IPasswordVerifyForm } from '../components/PasswordVerify';
 import type { LayoutChangeEvent } from 'react-native';
 
 interface IPasswordVerifyProps {
-  onVerifyRes: (password: string) => void;
+  onVerifyRes: (password: string) => void | Promise<void>;
   onLayout?: (e: LayoutChangeEvent) => void;
   name?: 'lock';
+  pageMode?: boolean;
 }
 
 const PasswordVerifyContainer = ({
   onVerifyRes,
   name,
+  pageMode,
 }: IPasswordVerifyProps) => {
   const intl = useIntl();
   const [{ authType, isEnable }] = usePasswordBiologyAuthInfoAtom();
@@ -184,7 +186,8 @@ const PasswordVerifyContainer = ({
     async (isExtLockNoCachePassword: boolean) => {
       if (
         passwordVerifyStatus.value === EPasswordVerifyStatus.VERIFYING ||
-        passwordVerifyStatus.value === EPasswordVerifyStatus.VERIFIED
+        (!pageMode &&
+          passwordVerifyStatus.value === EPasswordVerifyStatus.VERIFIED)
       ) {
         return;
       }
@@ -196,11 +199,17 @@ const PasswordVerifyContainer = ({
         if (isExtLockNoCachePassword) {
           const result = await checkWebAuth();
           if (result) {
+            if (pageMode) {
+              await onVerifyRes('');
+            } else {
+              setTimeout(() => {
+                void onVerifyRes('');
+              });
+            }
             setPasswordAtom((v) => ({
               ...v,
               passwordVerifyStatus: { value: EPasswordVerifyStatus.VERIFIED },
             }));
-            onVerifyRes('');
             resetPasswordErrorAttempts();
           } else {
             throw new OneKeyLocalError('biology auth verify error');
@@ -219,11 +228,17 @@ const PasswordVerifyContainer = ({
               });
           }
           if (biologyAuthRes) {
+            if (pageMode) {
+              await onVerifyRes(biologyAuthRes);
+            } else {
+              setTimeout(() => {
+                void onVerifyRes(biologyAuthRes);
+              });
+            }
             setPasswordAtom((v) => ({
               ...v,
               passwordVerifyStatus: { value: EPasswordVerifyStatus.VERIFIED },
             }));
-            onVerifyRes(biologyAuthRes);
             resetPasswordErrorAttempts();
           } else {
             throw new OneKeyLocalError('biology auth verify error');
@@ -284,6 +299,7 @@ const PasswordVerifyContainer = ({
       title,
       verifiedPasswordWebAuth,
       verifyPeriodBiologyAuthAttempts,
+      pageMode,
     ],
   );
 
@@ -293,7 +309,8 @@ const PasswordVerifyContainer = ({
     async (data: IPasswordVerifyForm) => {
       if (
         passwordVerifyStatus.value === EPasswordVerifyStatus.VERIFYING ||
-        passwordVerifyStatus.value === EPasswordVerifyStatus.VERIFIED
+        (!pageMode &&
+          passwordVerifyStatus.value === EPasswordVerifyStatus.VERIFIED)
       ) {
         return;
       }
@@ -313,15 +330,21 @@ const PasswordVerifyContainer = ({
             password: encodePassword,
             passwordMode,
           });
-        setPasswordAtom((v) => ({
-          ...v,
-          passwordVerifyStatus: { value: EPasswordVerifyStatus.VERIFIED },
-        }));
         if (platformEnv.isNativeAndroid) {
           dismissKeyboard();
           await timerUtils.wait(0);
         }
-        onVerifyRes(verifiedPassword);
+        if (pageMode) {
+          await onVerifyRes(verifiedPassword);
+        } else {
+          setTimeout(() => {
+            void onVerifyRes(verifiedPassword);
+          });
+        }
+        setPasswordAtom((v) => ({
+          ...v,
+          passwordVerifyStatus: { value: EPasswordVerifyStatus.VERIFIED },
+        }));
         resetPasswordErrorAttempts();
       } catch (e) {
         let message = intl.formatMessage({
@@ -393,6 +416,7 @@ const PasswordVerifyContainer = ({
       setPasswordPersist,
       setUnlockPeriodPasswordArray,
       unlockPeriodPasswordArray,
+      pageMode,
     ],
   );
 
@@ -427,6 +451,7 @@ const PasswordVerifyContainer = ({
   return (
     <Stack>
       <PasswordVerify
+        pageMode={pageMode}
         passwordMode={passwordMode}
         alertText={alertText}
         disableInput={isProtectionTime}
diff --git a/packages/kit/src/components/WalletAvatar/WalletAvatar.tsx b/packages/kit/src/components/WalletAvatar/WalletAvatar.tsx
index ea58ed29cdd9..3023ee7eb8f1 100644
--- a/packages/kit/src/components/WalletAvatar/WalletAvatar.tsx
+++ b/packages/kit/src/components/WalletAvatar/WalletAvatar.tsx
@@ -5,6 +5,7 @@ import type { SizeTokens } from '@onekeyhq/components';
 import { Icon, Image, SizableText, Stack } from '@onekeyhq/components';
 import type { IDBWallet } from '@onekeyhq/kit-bg/src/dbs/local/types';
 import { presetNetworksMap } from '@onekeyhq/shared/src/config/presetNetworks';
+import { EOAuthSocialLoginProvider } from '@onekeyhq/shared/src/consts/authConsts';
 import accountUtils from '@onekeyhq/shared/src/utils/accountUtils';
 import type { IAllWalletAvatarImageNames } from '@onekeyhq/shared/src/utils/avatarUtils';
 import { AllWalletAvatarImages } from '@onekeyhq/shared/src/utils/avatarUtils';
@@ -68,6 +69,7 @@ export function WalletAvatar({
   img,
   wallet,
 }: IWalletAvatarProps) {
+  const socialLoginProvider = wallet?.keylessDetailsInfo?.keylessProvider;
   return (
     <Stack w={size} h={size} justifyContent="center" alignItems="center">
       <WalletAvatarBase size={size} img={img} wallet={wallet} />
@@ -115,7 +117,7 @@ export function WalletAvatar({
           </SizableText>
         </Stack>
       ) : null}
-      {/* Keyless wallet cloud icon */}
+      {/* Keyless wallet social login provider icon */}
       {status === 'keyless' ? (
         <Stack
           position="absolute"
@@ -126,7 +128,11 @@ export function WalletAvatar({
           borderRadius="$full"
           zIndex="$1"
         >
-          <Icon name="CloudOutline" size="$3.5" color="$iconInfo" />
+          {socialLoginProvider === EOAuthSocialLoginProvider.Google ? (
+            <Icon name="GoogleIllus" size="$3.5" />
+          ) : (
+            <Icon name="AppleBrand" size="$3.5" color="$iconActive" />
+          )}
         </Stack>
       ) : null}
     </Stack>
diff --git a/packages/kit/src/provider/Bootstrap.tsx b/packages/kit/src/provider/Bootstrap.tsx
index dd75bc68b8e7..13baad8c3f24 100644
--- a/packages/kit/src/provider/Bootstrap.tsx
+++ b/packages/kit/src/provider/Bootstrap.tsx
@@ -1,3 +1,4 @@
+/* eslint-disable @typescript-eslint/no-unused-vars */
 import { useCallback, useEffect, useRef } from 'react';
 
 import { CommonActions, StackActions } from '@react-navigation/native';
@@ -38,11 +39,12 @@ import performance from '@onekeyhq/shared/src/performance';
 import platformEnv from '@onekeyhq/shared/src/platformEnv';
 import {
   EDiscoveryModalRoutes,
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
   EGalleryRoutes,
   EModalRoutes,
   EModalSettingRoutes,
   EMultiTabBrowserRoutes,
+  EOnboardingPagesV2,
+  EOnboardingV2Routes,
   ETabEarnRoutes,
   ETabMarketRoutes,
   ETabRoutes,
@@ -713,18 +715,19 @@ export function Bootstrap() {
         //   screen: EOnboardingPages.ConnectWallet,
         // });
         // ----------------------------------------------
-        // navigation.navigate(ERootRoutes.Onboarding, {
-        //   screen: EOnboardingV2Routes.OnboardingV2,
-        //   params: {
-        //     screen: EOnboardingPagesV2.AddExistingWallet,
-        //   },
-        // });
+        navigation.navigate(ERootRoutes.Onboarding, {
+          screen: EOnboardingV2Routes.OnboardingV2,
+          params: {
+            // screen: EOnboardingPagesV2.AddExistingWallet,
+            screen: EOnboardingPagesV2.CreateOrImportWallet,
+          },
+        });
         // navigation.navigate(ETabRoutes.Developer, {
         //    screen: EGalleryRoutes.ComponentKeylessWallet,
         // });
-        navigation.navigate(ETabRoutes.Developer, {
-          screen: EGalleryRoutes.ComponentOneKeyID,
-        });
+        // navigation.navigate(ETabRoutes.Developer, {
+        //   screen: EGalleryRoutes.ComponentOneKeyID,
+        // });
       }, 1000);
 
       return () => clearTimeout(timer);
diff --git a/packages/kit/src/provider/Container/index.tsx b/packages/kit/src/provider/Container/index.tsx
index cdb85368ecff..997acc41e31c 100644
--- a/packages/kit/src/provider/Container/index.tsx
+++ b/packages/kit/src/provider/Container/index.tsx
@@ -55,6 +55,7 @@ function DetailRouter() {
       <GlobalRootAppNavigationUpdate />
       <JotaiContextRootProvidersAutoMount />
       <Bootstrap />
+      <FullWindowOverlayContainer />
       <AirGapQrcodeDialogContainer />
       <CreateAddressContainer />
       <PrevCheckBeforeSendingContainer />
@@ -66,7 +67,7 @@ function DetailRouter() {
       <DialogLoadingContainer />
       <DiskFullWarningDialogContainer />
       <CloudBackupContainer />
-      <FullWindowOverlayContainer />
+      {/* <PortalBodyContainer /> */}
       <PageTrackerContainer />
       <ErrorToastContainer />
       <GlobalErrorHandlerContainer />
diff --git a/packages/kit/src/routes/Modal/router.tsx b/packages/kit/src/routes/Modal/router.tsx
index 3c6d06a76cb2..cd08b8524bfa 100644
--- a/packages/kit/src/routes/Modal/router.tsx
+++ b/packages/kit/src/routes/Modal/router.tsx
@@ -5,6 +5,7 @@ import platformEnv from '@onekeyhq/shared/src/platformEnv';
 import { EModalRoutes, EOnboardingV2Routes } from '@onekeyhq/shared/src/routes';
 
 import backgroundApiProxy from '../../background/instance/backgroundApiProxy';
+import { keylessOnboardingCache } from '../../components/KeylessWallet/useKeylessWallet';
 import { AccountManagerStacks } from '../../views/AccountManagerStacks/router';
 import { ModalAddressBookRouter } from '../../views/AddressBook/router';
 import { ModalApprovalManagementStack } from '../../views/ApprovalManagement/router';
@@ -262,6 +263,7 @@ export const onboardingRouterV2Config: IModalRootNavigatorConfig<EOnboardingV2Ro
         console.log('OnboardingModal onMounted');
       },
       onUnmounted: async () => {
+        void keylessOnboardingCache.clear();
         await v4migrationAtom.set((v) => ({
           ...v,
           isProcessing: false,
diff --git a/packages/kit/src/states/jotai/contexts/accountSelector/actions.tsx b/packages/kit/src/states/jotai/contexts/accountSelector/actions.tsx
index a368679243f7..9e0e5e369828 100644
--- a/packages/kit/src/states/jotai/contexts/accountSelector/actions.tsx
+++ b/packages/kit/src/states/jotai/contexts/accountSelector/actions.tsx
@@ -842,9 +842,13 @@ class AccountSelectorActions extends ContextJotaiActionsBase {
       {
         mnemonic,
         isWalletBackedUp,
+        isKeylessWallet,
+        keylessDetailsInfo,
       }: {
         mnemonic: string;
         isWalletBackedUp?: boolean;
+        isKeylessWallet?: boolean;
+        keylessDetailsInfo?: import('@onekeyhq/kit-bg/src/dbs/local/types').IKeylessWalletDetailsInfo;
       },
     ) =>
       this.withFinalizeWalletSetupStep.call(set, {
@@ -853,6 +857,8 @@ class AccountSelectorActions extends ContextJotaiActionsBase {
             await serviceAccount.createHDWallet({
               mnemonic,
               isWalletBackedUp,
+              isKeylessWallet,
+              keylessDetailsInfo,
             });
           await this.autoSelectToCreatedWallet.call(set, {
             wallet,
diff --git a/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/BulkCopyAddressesButton.tsx b/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/BulkCopyAddressesButton.tsx
index 217bd3bd884d..6abefcb4d498 100644
--- a/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/BulkCopyAddressesButton.tsx
+++ b/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/BulkCopyAddressesButton.tsx
@@ -130,7 +130,7 @@ export function BulkCopyAddressesButton({
       extra={
         isPrimeUser ? null : (
           <Badge badgeSize="sm" badgeType="default">
-            <Badge.Text>
+            <Badge.Text size="$bodySmMedium">
               {intl.formatMessage({
                 id: ETranslations.prime_status_prime,
               })}
diff --git a/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/WalletBoundReferralCodeButton.tsx b/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/WalletBoundReferralCodeButton.tsx
index 369c8ee4c37d..acf348424274 100644
--- a/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/WalletBoundReferralCodeButton.tsx
+++ b/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/WalletBoundReferralCodeButton.tsx
@@ -114,7 +114,7 @@ function WalletBoundReferralCodeButtonView({
       extra={
         shouldBoundReferralCode ? undefined : (
           <Badge badgeSize="sm" badgeType="info">
-            <Badge.Text>
+            <Badge.Text size="$bodySmMedium">
               {intl.formatMessage({
                 id: ETranslations.referral_wallet_bind_code_finish,
               })}
diff --git a/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/WalletEditButton.tsx b/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/WalletEditButton.tsx
index 0cecb5ef964b..bbca23a9aab3 100644
--- a/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/WalletEditButton.tsx
+++ b/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/WalletEditButton.tsx
@@ -4,20 +4,16 @@ import { useIntl } from 'react-intl';
 
 import { ActionList, Divider } from '@onekeyhq/components';
 import { AccountSelectorProviderMirror } from '@onekeyhq/kit/src/components/AccountSelector';
+import { useKeylessWallet } from '@onekeyhq/kit/src/components/KeylessWallet/useKeylessWallet';
 import { ListItem } from '@onekeyhq/kit/src/components/ListItem';
 import { useOneKeyAuth } from '@onekeyhq/kit/src/components/OneKeyAuth/useOneKeyAuth';
-import useAppNavigation from '@onekeyhq/kit/src/hooks/useAppNavigation';
 import {
   useAccountSelectorContextData,
   useActiveAccount,
 } from '@onekeyhq/kit/src/states/jotai/contexts/accountSelector';
 import type { IDBWallet } from '@onekeyhq/kit-bg/src/dbs/local/types';
 import { ETranslations } from '@onekeyhq/shared/src/locale';
-import {
-  EModalRoutes,
-  EOnboardingV2KeylessWalletCreationMode,
-} from '@onekeyhq/shared/src/routes';
-import { EPrimePages } from '@onekeyhq/shared/src/routes/prime';
+import { EOnboardingV2OneKeyIDLoginMode } from '@onekeyhq/shared/src/routes';
 import accountUtils from '@onekeyhq/shared/src/utils/accountUtils';
 
 import { usePrimeAvailable } from '../../../Prime/hooks/usePrimeAvailable';
@@ -41,14 +37,11 @@ function WalletEditButtonView({
   const {
     activeAccount: { network },
   } = useActiveAccount({ num: num ?? 0 });
-  const navigation = useAppNavigation();
-  const isKeyless = useMemo(
-    () => accountUtils.isKeylessWallet({ walletId: wallet?.id || '' }),
-    [wallet],
-  );
+  const isKeyless = useMemo(() => wallet?.isKeyless, [wallet]);
 
   const { isPrimeAvailable } = usePrimeAvailable();
   const { user } = useOneKeyAuth();
+  const { goToOneKeyIDLoginPageForKeylessWallet } = useKeylessWallet();
 
   const isPrimeUser = useMemo(() => {
     return user?.primeSubscription?.isActive && user?.onekeyUserId;
@@ -126,18 +119,29 @@ function WalletEditButtonView({
             onClose={handleActionListClose}
           />
 
-          {/* Keyless wallet: Keys & Recovery */}
+          {/* Keyless wallet: Reset PIN */}
+          {isKeyless ? (
+            <ActionList.Item
+              icon="InputOutline"
+              label={intl.formatMessage({ id: ETranslations.reset_pin })}
+              onClose={handleActionListClose}
+              onPress={() => {
+                void goToOneKeyIDLoginPageForKeylessWallet({
+                  mode: EOnboardingV2OneKeyIDLoginMode.KeylessResetPin,
+                });
+              }}
+            />
+          ) : null}
+
+          {/* Keyless wallet: Verify PIN */}
           {isKeyless ? (
             <ActionList.Item
-              icon="Key2Outline"
-              label="Keys & Recovery"
+              icon="ChecklistOutline"
+              label="Verify PIN"
               onClose={handleActionListClose}
               onPress={() => {
-                navigation.push(EModalRoutes.PrimeModal, {
-                  screen: EPrimePages.KeylessWallet,
-                  params: {
-                    mode: EOnboardingV2KeylessWalletCreationMode.View,
-                  },
+                void goToOneKeyIDLoginPageForKeylessWallet({
+                  mode: EOnboardingV2OneKeyIDLoginMode.KeylessVerifyPinOnly,
                 });
               }}
             />
@@ -211,7 +215,8 @@ function WalletEditButtonView({
       showAddHiddenWalletButton,
       showRemoveWalletButton,
       showRemoveDeviceButton,
-      navigation,
+      goToOneKeyIDLoginPageForKeylessWallet,
+      intl,
     ],
   );
 
diff --git a/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/WalletRemoveButton.tsx b/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/WalletRemoveButton.tsx
index ca1110da47ba..46ada85cd736 100644
--- a/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/WalletRemoveButton.tsx
+++ b/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/WalletRemoveButton.tsx
@@ -30,6 +30,9 @@ export function WalletRemoveButton({
     if (platformEnv.isWebDappMode) {
       return intl.formatMessage({ id: ETranslations.explore_disconnect });
     }
+    if (wallet?.isKeyless) {
+      return intl.formatMessage({ id: ETranslations.log_out_wallet });
+    }
     if (accountUtils.isHwHiddenWallet({ wallet })) {
       return intl.formatMessage({ id: ETranslations.remove_hidden_wallet });
     }
@@ -46,9 +49,19 @@ export function WalletRemoveButton({
     });
   }, [isRemoveToMocked, wallet, intl]);
 
+  const icon = useMemo(() => {
+    if (wallet?.isKeyless) {
+      return 'LogoutOutline';
+    }
+    if (isRemoveToMocked) {
+      return 'DeleteOutline';
+    }
+    return 'EjectOutline';
+  }, [wallet?.isKeyless, isRemoveToMocked]);
+
   return (
     <ActionList.Item
-      icon={isRemoveToMocked ? 'DeleteOutline' : 'EjectOutline'}
+      icon={icon}
       destructive
       label={label}
       onClose={onClose}
diff --git a/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/WalletRemoveDialog.tsx b/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/WalletRemoveDialog.tsx
index 98bdb1adeeb2..2ad34cb4e690 100644
--- a/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/WalletRemoveDialog.tsx
+++ b/packages/kit/src/views/AccountManagerStacks/components/WalletEdit/WalletRemoveDialog.tsx
@@ -81,19 +81,17 @@ export function getTitleAndDescription({
     accountUtils.isHwWallet({ walletId: wallet?.id }) ||
     accountUtils.isQrWallet({ walletId: wallet?.id });
 
-  const isKeyless = accountUtils.isKeylessWallet({
-    walletId: wallet?.id || '',
-  });
+  const isKeyless = wallet?.isKeyless;
 
   // Keyless wallet has a different description
   if (isKeyless) {
     return {
       isHwOrQr: false,
       isKeyless: true,
-      title: appLocale.intl.formatMessage({ id: ETranslations.remove_wallet }),
-      // TODO: Add proper translation key for keyless wallet removal
-      description:
-        'You can restore this wallet anytime using your security keys.',
+      title: appLocale.intl.formatMessage({ id: ETranslations.log_out_wallet }),
+      description: appLocale.intl.formatMessage({
+        id: ETranslations.log_out_wallet_desc,
+      }),
     };
   }
 
diff --git a/packages/kit/src/views/AccountManagerStacks/pages/AccountSelectorStack/WalletList/WalletListItem.tsx b/packages/kit/src/views/AccountManagerStacks/pages/AccountSelectorStack/WalletList/WalletListItem.tsx
index 08074ded782f..9a5f7b2a26e0 100644
--- a/packages/kit/src/views/AccountManagerStacks/pages/AccountSelectorStack/WalletList/WalletListItem.tsx
+++ b/packages/kit/src/views/AccountManagerStacks/pages/AccountSelectorStack/WalletList/WalletListItem.tsx
@@ -192,9 +192,7 @@ export function WalletListItem({
   shouldShowCreateHiddenWalletButtonFn,
   ...rest
 }: IWalletListItemProps) {
-  const isKeylessWallet = accountUtils.isKeylessWallet({
-    walletId: wallet?.id ?? '',
-  });
+  const isKeylessWallet = wallet?.isKeyless;
 
   let walletAvatarProps: IWalletAvatarProps = {
     wallet,
diff --git a/packages/kit/src/views/Developer/pages/Gallery/Components/stories/CryptoGallery.tsx b/packages/kit/src/views/Developer/pages/Gallery/Components/stories/CryptoGallery.tsx
index 04b4500159b4..8f929944edd7 100644
--- a/packages/kit/src/views/Developer/pages/Gallery/Components/stories/CryptoGallery.tsx
+++ b/packages/kit/src/views/Developer/pages/Gallery/Components/stories/CryptoGallery.tsx
@@ -231,6 +231,156 @@ function AESCbcTest() {
   );
 }
 
+/**
+ * Test crypto.subtle polyfill
+ * This polyfill is required for Supabase Auth PKCE flow on React Native
+ * @see packages/shared/src/appCrypto/cryptoSubtlePolyfill.js
+ */
+function CryptoSubtlePolyfillTest() {
+  const [result, setResult] = useState('');
+
+  const testCryptoSubtle = async () => {
+    try {
+      const tasks: IRunAppCryptoTestTaskResult[] = [];
+
+      // Test 1: Check if crypto.subtle exists
+      tasks.push(
+        await runAppCryptoTestTask({
+          expect: 'true',
+          name: 'crypto.subtle exists',
+          fn: async () => {
+            return String(
+              typeof crypto !== 'undefined' &&
+                typeof crypto.subtle !== 'undefined' &&
+                typeof crypto.subtle.digest === 'function',
+            );
+          },
+        }),
+      );
+
+      // Test 2: SHA-256 digest test
+      // Hash of "hello" in SHA-256 should be:
+      // 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
+      const testData = new TextEncoder().encode('hello');
+      const expectedSha256 =
+        '2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824';
+
+      tasks.push(
+        await runAppCryptoTestTask({
+          expect: expectedSha256,
+          name: 'crypto.subtle.digest(SHA-256)',
+          fn: async () => {
+            const hashBuffer = await crypto.subtle.digest('SHA-256', testData);
+            const hashArray = Array.from(new Uint8Array(hashBuffer));
+            const hashHex = hashArray
+              .map((b) => b.toString(16).padStart(2, '0'))
+              .join('');
+            return hashHex;
+          },
+        }),
+      );
+
+      // Test 3: SHA-512 digest test
+      // Hash of "hello" in SHA-512
+      const expectedSha512 =
+        '9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2dff72519673ca72323c3d99ba5c11d7c7acc6e14b8c5da0c4663475c2e5c3adef46f73bcdec043';
+
+      tasks.push(
+        await runAppCryptoTestTask({
+          expect: expectedSha512,
+          name: 'crypto.subtle.digest(SHA-512)',
+          fn: async () => {
+            const hashBuffer = await crypto.subtle.digest('SHA-512', testData);
+            const hashArray = Array.from(new Uint8Array(hashBuffer));
+            const hashHex = hashArray
+              .map((b) => b.toString(16).padStart(2, '0'))
+              .join('');
+            return hashHex;
+          },
+        }),
+      );
+
+      // Test 4: SHA-1 digest test
+      // Hash of "hello" in SHA-1
+      const expectedSha1 = 'aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d';
+
+      tasks.push(
+        await runAppCryptoTestTask({
+          expect: expectedSha1,
+          name: 'crypto.subtle.digest(SHA-1)',
+          fn: async () => {
+            const hashBuffer = await crypto.subtle.digest('SHA-1', testData);
+            const hashArray = Array.from(new Uint8Array(hashBuffer));
+            const hashHex = hashArray
+              .map((b) => b.toString(16).padStart(2, '0'))
+              .join('');
+            return hashHex;
+          },
+        }),
+      );
+
+      // Test 5: Supabase PKCE simulation test
+      // Simulate the actual PKCE flow that Supabase uses
+      const codeVerifier = 'test-code-verifier-for-pkce-flow';
+      const verifierData = new TextEncoder().encode(codeVerifier);
+
+      tasks.push(
+        await runAppCryptoTestTask({
+          expect:
+            'f0c2f8b2aad90ad913c0561953b38bf3d435f59b5e4ef24eebc6605b0b444907',
+          name: 'crypto.subtle.digest(PKCE simulation)',
+          fn: async () => {
+            const hashBuffer = await crypto.subtle.digest(
+              'SHA-256',
+              verifierData,
+            );
+            const hashArray = Array.from(new Uint8Array(hashBuffer));
+            const hashHex = hashArray
+              .map((b) => b.toString(16).padStart(2, '0'))
+              .join('');
+            return hashHex;
+          },
+        }),
+      );
+
+      setResult(
+        stringUtils.stableStringify(
+          tasks,
+          stringUtils.STRINGIFY_REPLACER.bufferToHex,
+          2,
+        ),
+      );
+
+      const allPassed = tasks.every(
+        (t) => t.isCorrect === AppCryptoTestEmoji.isCorrect,
+      );
+      if (allPassed) {
+        Toast.success({
+          title: 'crypto.subtle polyfill test passed',
+        });
+      } else {
+        Toast.error({
+          title: 'crypto.subtle polyfill test failed',
+        });
+      }
+    } catch (error) {
+      setResult(`Error: ${(error as Error).message}`);
+      Toast.error({
+        title: `crypto.subtle test failed: ${(error as Error).message}`,
+      });
+    }
+  };
+
+  return (
+    <PartContainer title="crypto.subtle Polyfill Test">
+      <Button variant="primary" onPress={testCryptoSubtle}>
+        Test crypto.subtle Polyfill
+      </Button>
+      {result ? <SizableText size="$bodyMd">{result}</SizableText> : null}
+    </PartContainer>
+  );
+}
+
 function SecretFunctionsTest() {
   const [result, setResult] = useState('');
 
@@ -731,6 +881,9 @@ const CryptoGallery = () => (
               <CustomAccordionItem title="AES-CBC Test">
                 <AESCbcTest />
               </CustomAccordionItem>
+              <CustomAccordionItem title="crypto.subtle Polyfill Test">
+                <CryptoSubtlePolyfillTest />
+              </CustomAccordionItem>
               <CustomAccordionItem title="SecretFunctions Test">
                 <SecretFunctionsTest />
               </CustomAccordionItem>
diff --git a/packages/kit/src/views/Developer/pages/Gallery/Components/stories/OneKeyIDGallery.tsx b/packages/kit/src/views/Developer/pages/Gallery/Components/stories/OneKeyIDGallery.tsx
index e8d71731f5f6..c5e203252e89 100644
--- a/packages/kit/src/views/Developer/pages/Gallery/Components/stories/OneKeyIDGallery.tsx
+++ b/packages/kit/src/views/Developer/pages/Gallery/Components/stories/OneKeyIDGallery.tsx
@@ -17,7 +17,25 @@ import {
 import backgroundApiProxy from '@onekeyhq/kit/src/background/instance/backgroundApiProxy';
 import { useSupabaseAuth } from '@onekeyhq/kit/src/components/OneKeyAuth/supabase/useSupabaseAuth';
 import { useOneKeyAuth } from '@onekeyhq/kit/src/components/OneKeyAuth/useOneKeyAuth';
+import useAppNavigation from '@onekeyhq/kit/src/hooks/useAppNavigation';
+
+// eslint-disable-next-line @typescript-eslint/no-restricted-imports
+import { JuiceboxClient } from '@onekeyhq/kit-bg/src/services/ServiceKeylessWallet/utils/JuiceboxClient';
+import {
+  EOAuthSocialLoginProvider,
+  GOOGLE_OAUTH_CLIENT_IDS,
+  KEYLESS_SUPABASE_PROJECT_URL,
+  KEYLESS_SUPABASE_PUBLIC_API_KEY,
+  SUPABASE_PROJECT_URL,
+  SUPABASE_PUBLIC_API_KEY,
+} from '@onekeyhq/shared/src/consts/authConsts';
 import platformEnv from '@onekeyhq/shared/src/platformEnv';
+import {
+  EOnboardingPagesV2,
+  EOnboardingV2Routes,
+  ERootRoutes,
+} from '@onekeyhq/shared/src/routes';
+import { formatDate } from '@onekeyhq/shared/src/utils/dateUtils';
 import stringUtils from '@onekeyhq/shared/src/utils/stringUtils';
 
 import { Layout } from './utils/Layout';
@@ -52,6 +70,7 @@ function demoError(error: unknown, apiName: string) {
 }
 
 function OneKeyIDApiTests() {
+  const navigation = useAppNavigation();
   const [email, setEmail] = useState('');
   const [otp, setOtp] = useState('');
   const [loading, setLoading] = useState<string | null>(null);
@@ -63,8 +82,6 @@ function OneKeyIDApiTests() {
   > | null>(null);
 
   const {
-    signInWithGoogle,
-    signInWithApple,
     signInWithOtp,
     verifyOtp,
     getSession,
@@ -74,7 +91,7 @@ function OneKeyIDApiTests() {
     isReady,
   } = useSupabaseAuth();
 
-  const { logout } = useOneKeyAuth();
+  const { logout, signInWithSocialLogin } = useOneKeyAuth();
 
   const onTryCloseWindow = async () => {
     if (platformEnv.isNative) {
@@ -126,6 +143,65 @@ function OneKeyIDApiTests() {
         </XStack>
       </XStack>
 
+      <SizableText size="$headingMd" mt="$2">
+        Supabase Config (Debug)
+      </SizableText>
+      <YStack
+        gap="$2"
+        padding="$3"
+        backgroundColor="$bgSubdued"
+        borderRadius="$2"
+      >
+        <XStack gap="$2">
+          <SizableText size="$bodySm" color="$textSubdued">
+            SUPABASE_PROJECT_URL:
+          </SizableText>
+          <SizableText size="$bodySm" style={{ wordBreak: 'break-all' }}>
+            {SUPABASE_PROJECT_URL || '(empty)'}
+          </SizableText>
+        </XStack>
+        <XStack gap="$2">
+          <SizableText size="$bodySm" color="$textSubdued">
+            SUPABASE_PUBLIC_API_KEY:
+          </SizableText>
+          <SizableText size="$bodySm" style={{ wordBreak: 'break-all' }}>
+            {SUPABASE_PUBLIC_API_KEY || '(empty)'}
+          </SizableText>
+        </XStack>
+        <XStack gap="$2">
+          <SizableText size="$bodySm" color="$textSubdued">
+            KEYLESS_SUPABASE_PROJECT_URL:
+          </SizableText>
+          <SizableText size="$bodySm" style={{ wordBreak: 'break-all' }}>
+            {KEYLESS_SUPABASE_PROJECT_URL || '(empty)'}
+          </SizableText>
+        </XStack>
+        <XStack gap="$2">
+          <SizableText size="$bodySm" color="$textSubdued">
+            KEYLESS_SUPABASE_PUBLIC_API_KEY:
+          </SizableText>
+          <SizableText size="$bodySm" style={{ wordBreak: 'break-all' }}>
+            {KEYLESS_SUPABASE_PUBLIC_API_KEY || '(empty)'}
+          </SizableText>
+        </XStack>
+        <XStack gap="$2">
+          <SizableText size="$bodySm" color="$textSubdued">
+            GOOGLE_OAUTH_CLIENT_WEB:
+          </SizableText>
+          <SizableText size="$bodySm" style={{ wordBreak: 'break-all' }}>
+            {GOOGLE_OAUTH_CLIENT_IDS.WEB || '(empty)'}
+          </SizableText>
+        </XStack>
+        <XStack gap="$2">
+          <SizableText size="$bodySm" color="$textSubdued">
+            GOOGLE_OAUTH_CLIENT_IOS:
+          </SizableText>
+          <SizableText size="$bodySm" style={{ wordBreak: 'break-all' }}>
+            {GOOGLE_OAUTH_CLIENT_IDS.IOS || '(empty)'}
+          </SizableText>
+        </XStack>
+      </YStack>
+
       <SizableText size="$headingMd" mt="$2">
         OAuth Sign In
       </SizableText>
@@ -144,7 +220,10 @@ function OneKeyIDApiTests() {
           onPress={async () => {
             try {
               setLoading('google');
-              const result = await signInWithGoogle({ persistSession });
+              const result = await signInWithSocialLogin(
+                EOAuthSocialLoginProvider.Google,
+                { persistSession },
+              );
               if (result.success && result.session?.accessToken) {
                 // Set access token
                 setAccessToken(result.session.accessToken);
@@ -158,9 +237,9 @@ function OneKeyIDApiTests() {
                   message: 'You are now signed in with Google',
                 });
               }
-              demoLog(result, 'signInWithGoogle');
+              demoLog(result, 'signInWithSocialLogin(Google)');
             } catch (e) {
-              demoError(e, 'signInWithGoogle');
+              demoError(e, 'signInWithSocialLogin(Google)');
             } finally {
               setLoading(null);
             }
@@ -175,16 +254,26 @@ function OneKeyIDApiTests() {
           onPress={async () => {
             try {
               setLoading('apple');
-              const result = await signInWithApple({ persistSession });
-              if (result.success) {
+              const result = await signInWithSocialLogin(
+                EOAuthSocialLoginProvider.Apple,
+                { persistSession },
+              );
+              if (result.success && result.session?.accessToken) {
+                // Set access token
+                setAccessToken(result.session.accessToken);
+                // Decode JWT token
+                const decoded = stringUtils.decodeJWT(
+                  result.session.accessToken,
+                );
+                setDecodedToken(decoded);
                 Toast.success({
                   title: 'Apple Sign In Success',
                   message: 'You are now signed in with Apple',
                 });
               }
-              demoLog(result, 'signInWithApple');
+              demoLog(result, 'signInWithSocialLogin(Apple)');
             } catch (e) {
-              demoError(e, 'signInWithApple');
+              demoError(e, 'signInWithSocialLogin(Apple)');
             } finally {
               setLoading(null);
             }
@@ -289,6 +378,26 @@ function OneKeyIDApiTests() {
       {decodedToken !== null ? (
         <Stack gap="$2" mt="$4">
           <SizableText size="$headingMd">Decoded Access Token</SizableText>
+          {decodedToken.iat && typeof decodedToken.iat === 'number' ? (
+            <XStack gap="$2" alignItems="center">
+              <SizableText size="$bodyMd" color="$textSubdued">
+                Issued at:
+              </SizableText>
+              <SizableText size="$bodyMd">
+                {formatDate(new Date(decodedToken.iat * 1000))}
+              </SizableText>
+            </XStack>
+          ) : null}
+          {decodedToken.exp && typeof decodedToken.exp === 'number' ? (
+            <XStack gap="$2" alignItems="center">
+              <SizableText size="$bodyMd" color="$textSubdued">
+                Expires at:
+              </SizableText>
+              <SizableText size="$bodyMd">
+                {formatDate(new Date(decodedToken.exp * 1000))}
+              </SizableText>
+            </XStack>
+          ) : null}
           <ScrollView
             maxHeight={300}
             borderWidth={1}
@@ -402,25 +511,110 @@ function OneKeyIDApiTests() {
         >
           Refresh Session
         </Button>
+      </XStack>
 
+      <SizableText size="$headingMd" mt="$4">
+        Juicebox Test
+      </SizableText>
+      <XStack gap="$3" flexWrap="wrap">
         <Button
-          loading={loading === 'signOut'}
-          disabled={loading !== null}
-          variant="destructive"
           onPress={async () => {
             try {
-              setLoading('signOut');
-              // Sign out from both Supabase and Prime service
-              await logout();
-              demoLog({ success: true }, 'logout');
+              setLoading('juiceboxExchange');
+              const juicebox = new JuiceboxClient();
+              await juicebox.exchangeToken(accessToken);
+              demoLog({ success: true }, 'Juicebox exchangeToken');
             } catch (e) {
-              demoError(e, 'logout');
+              demoError(e, 'Juicebox exchangeToken');
             } finally {
               setLoading(null);
             }
           }}
         >
-          Sign Out
+          Juicebox exchangeToken
+        </Button>
+        <Button
+          loading={loading === 'juiceboxRegister'}
+          disabled={loading !== null || !accessToken}
+          onPress={async () => {
+            try {
+              setLoading('juiceboxRegister');
+              const juicebox = new JuiceboxClient();
+              await juicebox.exchangeToken(accessToken);
+              await juicebox.register({
+                pin: '123456',
+                secret: 'YXNkZg==', // asdf in base64
+                userInfo: 'test-user',
+              });
+              demoLog({ success: true }, 'Juicebox register');
+            } catch (e) {
+              demoError(e, 'Juicebox register');
+            } finally {
+              setLoading(null);
+            }
+          }}
+        >
+          Juicebox Register
+        </Button>
+        <Button
+          loading={loading === 'juiceboxRecover'}
+          disabled={loading !== null || !accessToken}
+          onPress={async () => {
+            try {
+              setLoading('juiceboxRecover');
+              const juicebox = new JuiceboxClient();
+              await juicebox.exchangeToken(accessToken);
+              const secret = await juicebox.recover({
+                pin: '123456',
+                userInfo: 'test-user',
+              });
+              demoLog({ secret }, 'Juicebox recover');
+            } catch (e) {
+              demoError(e, 'Juicebox recover');
+            } finally {
+              setLoading(null);
+            }
+          }}
+        >
+          Juicebox Recover
+        </Button>
+      </XStack>
+
+      <Button
+        loading={loading === 'signOut'}
+        disabled={loading !== null}
+        variant="destructive"
+        onPress={async () => {
+          try {
+            setLoading('signOut');
+            // Sign out from both Supabase and Prime service
+            await logout();
+            demoLog({ success: true }, 'logout');
+          } catch (e) {
+            demoError(e, 'logout');
+          } finally {
+            setLoading(null);
+          }
+        }}
+      >
+        Sign Out
+      </Button>
+
+      <SizableText size="$headingMd" mt="$4">
+        Onboarding Test
+      </SizableText>
+      <XStack gap="$3" flexWrap="wrap">
+        <Button
+          onPress={() => {
+            navigation.navigate(ERootRoutes.Onboarding, {
+              screen: EOnboardingV2Routes.OnboardingV2,
+              params: {
+                screen: EOnboardingPagesV2.CreatePasscode,
+              },
+            });
+          }}
+        >
+          Go to CreatePasscodePage
         </Button>
       </XStack>
     </YStack>
diff --git a/packages/kit/src/views/Onboarding/pages/FinalizeWalletSetup.tsx b/packages/kit/src/views/Onboarding/pages/FinalizeWalletSetup.tsx
index 6b453388534a..07df1e3c9673 100644
--- a/packages/kit/src/views/Onboarding/pages/FinalizeWalletSetup.tsx
+++ b/packages/kit/src/views/Onboarding/pages/FinalizeWalletSetup.tsx
@@ -59,6 +59,7 @@ function FinalizeWalletSetupPage({
   const mnemonic = route?.params?.mnemonic;
   const mnemonicType = route?.params?.mnemonicType;
   const isWalletBackedUp = route?.params?.isWalletBackedUp;
+  const isKeylessWallet = route?.params?.isKeylessWallet;
   const [onboardingError, setOnboardingError] = useState<
     IOneKeyError | undefined
   >(undefined);
@@ -125,6 +126,7 @@ function FinalizeWalletSetupPage({
               await actions.current.createHDWallet({
                 mnemonic,
                 isWalletBackedUp,
+                isKeylessWallet,
               });
             },
           });
@@ -139,7 +141,15 @@ function FinalizeWalletSetupPage({
         throw error;
       }
     })();
-  }, [actions, intl, mnemonic, mnemonicType, popPage, isWalletBackedUp]);
+  }, [
+    actions,
+    intl,
+    mnemonic,
+    mnemonicType,
+    popPage,
+    isWalletBackedUp,
+    isKeylessWallet,
+  ]);
 
   useEffect(() => {
     const fn = (
diff --git a/packages/kit/src/views/Onboardingv2/components/PinInputLayout.tsx b/packages/kit/src/views/Onboardingv2/components/PinInputLayout.tsx
new file mode 100644
index 000000000000..29d290bf3b48
--- /dev/null
+++ b/packages/kit/src/views/Onboardingv2/components/PinInputLayout.tsx
@@ -0,0 +1,230 @@
+import type {
+  ComponentProps,
+  ForwardRefExoticComponent,
+  RefAttributes,
+} from 'react';
+import {
+  forwardRef,
+  useCallback,
+  useImperativeHandle,
+  useMemo,
+  useRef,
+} from 'react';
+
+import { useFocusEffect } from '@react-navigation/core';
+import { KeyboardAvoidingView, type TextInput } from 'react-native';
+
+import {
+  Button,
+  HeightTransition,
+  Input,
+  Keyboard,
+  Page,
+  SizableText,
+  XStack,
+  YStack,
+  useMedia,
+} from '@onekeyhq/components';
+import platformEnv from '@onekeyhq/shared/src/platformEnv';
+
+import { KeylessOnboardingDebugPanel } from '../pages/KeylessOnboardingDebugPanel';
+
+import { OnboardingLayout } from './OnboardingLayout';
+
+interface IPinInputLayoutProps {
+  title: string;
+  description?: string | React.ReactNode;
+  descriptionColor?: '$textSubdued' | '$textCaution';
+  buttonText: string;
+  secondaryButtonText?: string;
+  onSecondaryButtonPress?: () => void;
+  value: string;
+  onChange: (pin: string) => void;
+  onSubmit: () => void;
+  isSubmitDisabled?: boolean;
+  isInputDisabled?: boolean;
+  errorMessage?: string;
+  isLoading?: boolean;
+  placeholder?: string;
+}
+
+export interface IPinInputLayoutRef {
+  focus: () => void;
+}
+
+const PinInputLayout = forwardRef<IPinInputLayoutRef, IPinInputLayoutProps>(
+  (
+    {
+      title,
+      description,
+      descriptionColor = '$textSubdued',
+      buttonText,
+      secondaryButtonText,
+      onSecondaryButtonPress,
+      value,
+      onChange,
+      onSubmit,
+      isSubmitDisabled = false,
+      isInputDisabled = false,
+      errorMessage,
+      isLoading,
+      placeholder = '••••',
+    },
+    ref,
+  ) => {
+    const inputRef = useRef<TextInput>(null);
+    const { gtMd } = useMedia();
+
+    useImperativeHandle(ref, () => ({
+      focus: () => {
+        inputRef.current?.focus();
+      },
+    }));
+
+    useFocusEffect(
+      useCallback(() => {
+        const timer = setTimeout(
+          () => {
+            inputRef.current?.focus();
+          },
+          platformEnv.isNative ? 500 : 300,
+        );
+        return () => clearTimeout(timer);
+      }, []),
+    );
+
+    const handleChangeText = useCallback(
+      (text: string) => {
+        onChange(text.replace(/[^0-9]/g, ''));
+      },
+      [onChange],
+    );
+
+    const handleSubmitEditing = useCallback(() => {
+      if (!isSubmitDisabled) {
+        onSubmit();
+      }
+    }, [isSubmitDisabled, onSubmit]);
+
+    const submitButtonProps = useMemo<ComponentProps<typeof Button>>(
+      () => ({
+        onPress: onSubmit,
+        loading: isLoading,
+        disabled: isSubmitDisabled || isLoading,
+      }),
+      [isSubmitDisabled, isLoading, onSubmit],
+    );
+
+    return (
+      <Page>
+        <OnboardingLayout>
+          <OnboardingLayout.Header />
+          <OnboardingLayout.Body constrained={false} scrollable={false}>
+            <OnboardingLayout.ConstrainedContent gap="$10">
+              <YStack gap="$2">
+                <SizableText size="$heading2xl">{title}</SizableText>
+                <SizableText size="$bodyLg" color={descriptionColor}>
+                  {description}
+                </SizableText>
+              </YStack>
+
+              <YStack gap="$6">
+                {/* Input Form */}
+                <HeightTransition initialHeight={50}>
+                  <YStack gap="$2">
+                    <Input
+                      ref={inputRef}
+                      size="large"
+                      placeholder={placeholder}
+                      textAlign="center"
+                      fontSize={platformEnv.isNative ? 20 : 24}
+                      h={50}
+                      maxLength={4}
+                      keyboardType="number-pad"
+                      secureTextEntry
+                      value={value}
+                      error={!!errorMessage}
+                      disabled={isInputDisabled}
+                      onChangeText={handleChangeText}
+                      onSubmitEditing={handleSubmitEditing}
+                    />
+                    {errorMessage ? (
+                      <SizableText size="$bodySm" color="$textCritical">
+                        {errorMessage}
+                      </SizableText>
+                    ) : null}
+                  </YStack>
+                </HeightTransition>
+
+                {/* Submit Button */}
+                {gtMd ? (
+                  <XStack gap="$2">
+                    {secondaryButtonText && onSecondaryButtonPress ? (
+                      <Button
+                        size="large"
+                        variant="secondary"
+                        flexGrow={1}
+                        flexBasis={0}
+                        onPress={onSecondaryButtonPress}
+                      >
+                        {secondaryButtonText}
+                      </Button>
+                    ) : null}
+                    <Button
+                      size="large"
+                      variant={isSubmitDisabled ? 'secondary' : 'primary'}
+                      flexGrow={1}
+                      flexBasis={0}
+                      {...submitButtonProps}
+                    >
+                      {buttonText}
+                    </Button>
+                  </XStack>
+                ) : null}
+
+                <KeylessOnboardingDebugPanel />
+              </YStack>
+            </OnboardingLayout.ConstrainedContent>
+          </OnboardingLayout.Body>
+          {!gtMd ? (
+            <Keyboard.StickyView>
+              <OnboardingLayout.Footer>
+                <YStack
+                  gap="$2"
+                  w="100%"
+                  y={platformEnv.isNative ? '$5' : '$0'}
+                >
+                  <Button
+                    size="large"
+                    variant={isSubmitDisabled ? 'secondary' : 'primary'}
+                    {...submitButtonProps}
+                  >
+                    {buttonText}
+                  </Button>
+                  {secondaryButtonText && onSecondaryButtonPress ? (
+                    <Button
+                      m="$0"
+                      py="$3"
+                      size="large"
+                      variant="tertiary"
+                      onPress={onSecondaryButtonPress}
+                    >
+                      {secondaryButtonText}
+                    </Button>
+                  ) : null}
+                </YStack>
+              </OnboardingLayout.Footer>
+            </Keyboard.StickyView>
+          ) : null}
+        </OnboardingLayout>
+      </Page>
+    );
+  },
+);
+
+PinInputLayout.displayName = 'PinInputLayout';
+
+export { PinInputLayout };
+export type IPinInputLayoutComponent = ForwardRefExoticComponent<
+  IPinInputLayoutProps & RefAttributes<IPinInputLayoutRef>
+>;
diff --git a/packages/kit/src/views/Onboardingv2/pages/ConfirmPinPage.tsx b/packages/kit/src/views/Onboardingv2/pages/ConfirmPinPage.tsx
new file mode 100644
index 000000000000..4f25120b6341
--- /dev/null
+++ b/packages/kit/src/views/Onboardingv2/pages/ConfirmPinPage.tsx
@@ -0,0 +1,119 @@
+import { useCallback, useState } from 'react';
+
+import { useRoute } from '@react-navigation/core';
+import { useIntl } from 'react-intl';
+
+import { EKeylessFinalizeAction } from '@onekeyhq/shared/src/keylessWallet/keylessWalletConsts';
+import { ETranslations } from '@onekeyhq/shared/src/locale/enum/translations';
+import type {
+  EOnboardingPagesV2,
+  IOnboardingParamListV2,
+} from '@onekeyhq/shared/src/routes';
+import { EAccountSelectorSceneName } from '@onekeyhq/shared/types';
+
+import { AccountSelectorProviderMirror } from '../../../components/AccountSelector/AccountSelectorProvider';
+import { useKeylessWallet } from '../../../components/KeylessWallet/useKeylessWallet';
+import { PinInputLayout } from '../components/PinInputLayout';
+
+import type { RouteProp } from '@react-navigation/core';
+
+function ConfirmPinPage() {
+  const route =
+    useRoute<
+      RouteProp<IOnboardingParamListV2, EOnboardingPagesV2.ConfirmPin>
+    >();
+  const { action = EKeylessFinalizeAction.Create } = route.params ?? {};
+  const {
+    confirmKeylessOnboardingPin,
+    getKeylessOnboardingPin,
+    handleKeylessOnboardingTimeout,
+  } = useKeylessWallet();
+
+  const intl = useIntl();
+  const [confirmPin, setConfirmPin] = useState('');
+  const [isValid, setIsValid] = useState(false);
+  const [errorMessage, setErrorMessage] = useState('');
+  const [isLoading, setIsLoading] = useState(false);
+
+  const handlePinChange = useCallback(
+    async (filteredText: string) => {
+      setConfirmPin(filteredText);
+      setErrorMessage('');
+
+      // Auto-validate when 4 digits entered
+      if (filteredText.length === 4) {
+        const originalPin = await getKeylessOnboardingPin({ skipDelete: true });
+        if (!originalPin) {
+          handleKeylessOnboardingTimeout();
+          return;
+        }
+        if (filteredText === originalPin) {
+          setIsValid(true);
+        } else {
+          setErrorMessage(
+            intl.formatMessage({ id: ETranslations.incorrect_pin }),
+          );
+          setIsValid(false);
+        }
+      } else {
+        setIsValid(false);
+      }
+    },
+    [getKeylessOnboardingPin, handleKeylessOnboardingTimeout, intl],
+  );
+
+  const handleConfirm = useCallback(async () => {
+    setConfirmPin('');
+    const originalPin = await getKeylessOnboardingPin();
+    if (!originalPin) {
+      handleKeylessOnboardingTimeout();
+      return;
+    }
+    try {
+      setIsLoading(true);
+      await confirmKeylessOnboardingPin({
+        pin: originalPin || '',
+        action,
+      });
+    } finally {
+      setIsLoading(false);
+    }
+  }, [
+    action,
+    confirmKeylessOnboardingPin,
+    getKeylessOnboardingPin,
+    handleKeylessOnboardingTimeout,
+  ]);
+
+  return (
+    <PinInputLayout
+      title={intl.formatMessage({ id: ETranslations.confirm_your_pin })}
+      description={intl.formatMessage({
+        id: ETranslations.confirm_your_pin_desc,
+      })}
+      descriptionColor="$textCaution"
+      buttonText={intl.formatMessage({ id: ETranslations.global_confirm })}
+      value={confirmPin}
+      onChange={handlePinChange}
+      onSubmit={handleConfirm}
+      isSubmitDisabled={!isValid}
+      isLoading={isLoading}
+      errorMessage={errorMessage}
+    />
+  );
+}
+
+function ConfirmPinPageWithContext() {
+  return (
+    <AccountSelectorProviderMirror
+      enabledNum={[0]}
+      config={{
+        sceneName: EAccountSelectorSceneName.home,
+      }}
+    >
+      <ConfirmPinPage />
+    </AccountSelectorProviderMirror>
+  );
+}
+
+export { ConfirmPinPageWithContext as default };
diff --git a/packages/kit/src/views/Onboardingv2/pages/CreateOrImportWallet.tsx b/packages/kit/src/views/Onboardingv2/pages/CreateOrImportWallet.tsx
index f07cb92e3dc4..979984b539de 100644
--- a/packages/kit/src/views/Onboardingv2/pages/CreateOrImportWallet.tsx
+++ b/packages/kit/src/views/Onboardingv2/pages/CreateOrImportWallet.tsx
@@ -10,7 +10,6 @@ import {
   AnimatePresence,
   Badge,
   Button,
-  Dialog,
   HeightTransition,
   Icon,
   Image,
@@ -31,7 +30,6 @@ import {
   EOnboardingPages,
   EOnboardingPagesV2,
 } from '@onekeyhq/shared/src/routes';
-import { EPrimePages } from '@onekeyhq/shared/src/routes/prime';
 import externalWalletLogoUtils from '@onekeyhq/shared/src/utils/externalWalletLogoUtils';
 import { EAccountSelectorSceneName } from '@onekeyhq/shared/types';
 
@@ -43,8 +41,6 @@ import {
 } from '../../../components/KeylessWallet/useKeylessWallet';
 import { useOneKeyAuth } from '../../../components/OneKeyAuth/useOneKeyAuth';
 import useAppNavigation from '../../../hooks/useAppNavigation';
-import { TermsAndPrivacy } from '../../Onboarding/pages/GetStarted/components';
-import { showOneKeyIDLoginDialog } from '../../Prime/components/OneKeyIDLoginDialog';
 import { OnboardingLayout } from '../components/OnboardingLayout';
 
 import { AnimatedDeviceAvatar } from './GetStarted';
@@ -152,12 +148,14 @@ function CreateOrImportWallet() {
   const [expanded, setExpanded] = useState(false);
   const [keylessExpanded, setKeylessExpanded] = useState(false);
   const isKeylessWalletEnabled = useKeylessWalletFeatureIsEnabled();
-  const { enableKeylessWallet, enableKeylessWalletLoading } =
-    useKeylessWallet();
+  const {
+    enableKeylessWallet,
+    enableKeylessWalletLoading,
+    checkKeylessWalletLocalExistence,
+  } = useKeylessWallet();
 
   const walletKeys = ['metamask', 'okx', 'rainbow', 'tokenpocket'] as const;
   const navigation = useAppNavigation();
-  const { isLoggedIn } = useOneKeyAuth();
 
   const handleExpand = useCallback(() => {
     setExpanded((prev) => !prev);
@@ -202,10 +200,19 @@ function CreateOrImportWallet() {
   };
 
   const handleKeylessWalletClick = useCallback(async () => {
+    // await enableKeylessWallet({
+    //   fromScene: EKeylessWalletEnableScene.Onboarding,
+    // });
+    // navigation.push(EOnboardingPagesV2.OneKeyIDLogin);
+    await checkKeylessWalletLocalExistence();
+  }, [checkKeylessWalletLocalExistence]);
+
+  const handleKeylessWalletLegacyClick = useCallback(async () => {
     await enableKeylessWallet({
       fromScene: EKeylessWalletEnableScene.Onboarding,
     });
   }, [enableKeylessWallet]);
+
   return (
     <Page>
       <OnboardingLayout>
@@ -300,6 +307,11 @@ function CreateOrImportWallet() {
               </>
             ) : null}
             {/* keyless wallet */}
+            {isKeylessWalletEnabled && platformEnv.isDev ? (
+              <Button onPress={handleKeylessWalletLegacyClick}>
+                Keyless wallet legacy
+              </Button>
+            ) : null}
             {isKeylessWalletEnabled ? (
               <Card onPress={handleKeylessWalletClick}>
                 <Card.Header>
@@ -317,7 +329,11 @@ function CreateOrImportWallet() {
                     <Icon name="CloudOutline" color="$iconOnColor" />
                   </YStack>
                   <YStack gap="$0.5" flex={1} alignItems="flex-start">
-                    <Card.Title>Keyless wallet</Card.Title>
+                    <Card.Title>
+                      {intl.formatMessage({
+                        id: ETranslations.keyless_wallet,
+                      })}
+                    </Card.Title>
                     <Button
                       px="$1"
                       py="$0.5"
@@ -355,28 +371,63 @@ function CreateOrImportWallet() {
                     {intl.formatMessage({ id: ETranslations.global_enabled })}
                   </SizableText>
                 ) : null} */}
-                  {enableKeylessWalletLoading ? (
-                    <Spinner size="small" color="$iconDisabled" />
-                  ) : (
-                    <Icon
-                      name="ChevronRightSmallOutline"
-                      color="$iconSubdued"
-                    />
-                  )}
+                  <AnimatePresence exitBeforeEnter initial={false}>
+                    {enableKeylessWalletLoading ? (
+                      <YStack
+                        key="loading"
+                        animation="quick"
+                        animateOnly={['transform', 'opacity']}
+                        enterStyle={{ scale: 0.7, opacity: 0 }}
+                        exitStyle={{ scale: 0.7, opacity: 0 }}
+                        pr="$0.5"
+                      >
+                        <Spinner size="small" color="$iconDisabled" />
+                      </YStack>
+                    ) : (
+                      <YStack
+                        key="icon"
+                        animation="quick"
+                        animateOnly={['transform', 'opacity']}
+                        enterStyle={{ scale: 0.7, opacity: 0 }}
+                        exitStyle={{ scale: 0.7, opacity: 0 }}
+                      >
+                        <Icon
+                          name="ChevronRightSmallOutline"
+                          color="$iconSubdued"
+                        />
+                      </YStack>
+                    )}
+                  </AnimatePresence>
                 </Card.Header>
                 <Card.Body>
                   <XStack gap="$2" flexWrap="wrap">
                     {[
                       {
-                        title: 'Recovery phrase free',
+                        title: intl.formatMessage({
+                          id: ETranslations.recovery_phrase_free,
+                        }),
                         badge: 'success' as const,
                       },
-                      { title: 'Beginner-friendly' },
-                      { title: 'Supports hundreds of networks' },
                       {
-                        title: 'Open-source secure sharding',
+                        title: intl.formatMessage({
+                          id: ETranslations.beginner_friendly,
+                        }),
+                      },
+                      {
+                        title: intl.formatMessage({
+                          id: ETranslations.create_new_wallet_badge_supports,
+                        }),
+                      },
+                      {
+                        title: intl.formatMessage({
+                          id: ETranslations.open_source_secure_sharding,
+                        }),
+                      },
+                      {
+                        title: intl.formatMessage({
+                          id: ETranslations.ultra_fast_setup,
+                        }),
                       },
-                      { title: 'Ultra-fast setup' },
                     ].map((item, index) => (
                       <Badge
                         key={index}
@@ -399,11 +450,6 @@ function CreateOrImportWallet() {
                           size="$3"
                           y={-1}
                         />
-                        <Icon
-                          name="EmailOutline"
-                          color="$iconActive"
-                          size="$3"
-                        />
                       </XStack>
                     </Badge>
                   </XStack>
@@ -422,11 +468,9 @@ function CreateOrImportWallet() {
                           }}
                         >
                           <SizableText size="$bodySm" color="$textSubdued">
-                            Cloud wallet, powered by Shamir encrypted backup,
-                            splits your seed phrase into 3 parts. Any 2 parts
-                            can restore your wallet, and you always retain full
-                            control of your assets. Even if one part is lost,
-                            your wallet remains safe and recoverable.
+                            {intl.formatMessage({
+                              id: ETranslations.keyless_wallet_desc,
+                            })}
                           </SizableText>
                         </YStack>
                       ) : null}
@@ -435,6 +479,7 @@ function CreateOrImportWallet() {
                 </Card.Body>
               </Card>
             ) : null}
+
             {/* create new wallet */}
             <Card onPress={handleCreateNewWallet}>
               <Card.Header>
@@ -454,7 +499,9 @@ function CreateOrImportWallet() {
                 <YStack gap="$0.5" flex={1} alignItems="flex-start">
                   <Card.Title>
                     {isKeylessWalletEnabled
-                      ? 'Seed phrase wallet'
+                      ? intl.formatMessage({
+                          id: ETranslations.seed_phrase_wallet,
+                        })
                       : intl.formatMessage({
                           id: ETranslations.onboarding_create_new_wallet,
                         })}
diff --git a/packages/kit/src/views/Onboardingv2/pages/CreatePasscodePage.tsx b/packages/kit/src/views/Onboardingv2/pages/CreatePasscodePage.tsx
new file mode 100644
index 000000000000..22ff8cc0fcac
--- /dev/null
+++ b/packages/kit/src/views/Onboardingv2/pages/CreatePasscodePage.tsx
@@ -0,0 +1,122 @@
+import { Suspense, useCallback, useState } from 'react';
+
+import { useIntl } from 'react-intl';
+
+import { Page, SizableText, Spinner, YStack } from '@onekeyhq/components';
+import { usePasswordModeAtom } from '@onekeyhq/kit-bg/src/states/jotai/atoms';
+import { ETranslations } from '@onekeyhq/shared/src/locale';
+import type {
+  EOnboardingPagesV2,
+  IOnboardingParamListV2,
+} from '@onekeyhq/shared/src/routes/onboardingv2';
+import { EAccountSelectorSceneName } from '@onekeyhq/shared/types';
+
+import backgroundApiProxy from '../../../background/instance/backgroundApiProxy';
+import { AccountSelectorProviderMirror } from '../../../components/AccountSelector';
+import { useKeylessWallet } from '../../../components/KeylessWallet/useKeylessWallet';
+import PasswordSetup from '../../../components/Password/components/PasswordSetup';
+import PasswordSetupContainer from '../../../components/Password/container/PasswordSetupContainer';
+import PasswordVerifyContainer from '../../../components/Password/container/PasswordVerifyContainer';
+import { useAppRoute } from '../../../hooks/useAppRoute';
+import { usePromiseResult } from '../../../hooks/usePromiseResult';
+import { OnboardingLayout } from '../components/OnboardingLayout';
+
+import type { IPasswordSetupForm } from '../../../components/Password/components/PasswordSetup';
+
+function PasscodeFormView() {
+  const intl = useIntl();
+  const { result: isPasswordSet } = usePromiseResult(async () => {
+    return backgroundApiProxy.servicePassword.checkPasswordSet();
+  }, []);
+  const { finalizeKeylessWalletV2 } = useKeylessWallet();
+  const route = useAppRoute<
+    IOnboardingParamListV2,
+    EOnboardingPagesV2.CreatePasscode
+  >();
+
+  const handlePasscodeConfirm = useCallback(
+    async (_passcode: string) => {
+      await finalizeKeylessWalletV2({ action: route?.params?.action });
+    },
+    [finalizeKeylessWalletV2, route.params.action],
+  );
+
+  if (isPasswordSet === undefined) {
+    return <Spinner size="large" />;
+  }
+  let formView = null;
+  if (isPasswordSet) {
+    formView = (
+      <Suspense fallback={<Spinner size="large" />}>
+        <PasswordVerifyContainer pageMode onVerifyRes={handlePasscodeConfirm} />
+      </Suspense>
+    );
+  } else {
+    formView = (
+      <Suspense fallback={<Spinner size="large" />}>
+        <PasswordSetupContainer pageMode onSetupRes={handlePasscodeConfirm} />
+      </Suspense>
+    );
+  }
+  return (
+    <>
+      <YStack gap="$2">
+        <SizableText size="$heading2xl">
+          {!isPasswordSet
+            ? intl.formatMessage({
+                id: ETranslations.global_set_passcode,
+              })
+            : intl.formatMessage({
+                id: ETranslations.auth_confirm_passcode_form_label,
+              })}
+        </SizableText>
+        <SizableText size="$bodyLg" color="$textSubdued">
+          {intl.formatMessage({ id: ETranslations.create_passcode_desc })}
+        </SizableText>
+      </YStack>
+      {formView}
+    </>
+  );
+}
+
+function CreatePasscodePage() {
+  const intl = useIntl();
+  const [loading, setLoading] = useState(false);
+  const [step, setStep] = useState<'create' | 'confirm'>('create');
+  const [passwordMode] = usePasswordModeAtom();
+
+  const handleSetupPasscode = useCallback((data: IPasswordSetupForm) => {
+    setLoading(true);
+    // TODO: Handle passcode setup
+    console.log('Passcode setup:', data);
+    setLoading(false);
+  }, []);
+
+  return (
+    <Page>
+      <OnboardingLayout>
+        <OnboardingLayout.Header />
+        <OnboardingLayout.Body constrained={false} scrollable={false}>
+          <OnboardingLayout.ConstrainedContent gap="$10">
+            <PasscodeFormView />
+          </OnboardingLayout.ConstrainedContent>
+        </OnboardingLayout.Body>
+      </OnboardingLayout>
+    </Page>
+  );
+}
+
+function CreatePasscodePageWithContext() {
+  return (
+    <AccountSelectorProviderMirror
+      enabledNum={[0]}
+      config={{
+        sceneName: EAccountSelectorSceneName.home,
+      }}
+    >
+      <CreatePasscodePage />
+    </AccountSelectorProviderMirror>
+  );
+}
+
+export { CreatePasscodePageWithContext as default };
diff --git a/packages/kit/src/views/Onboardingv2/pages/CreatePinPage.tsx b/packages/kit/src/views/Onboardingv2/pages/CreatePinPage.tsx
new file mode 100644
index 000000000000..c024e4b5a006
--- /dev/null
+++ b/packages/kit/src/views/Onboardingv2/pages/CreatePinPage.tsx
@@ -0,0 +1,83 @@
+import { useCallback, useState } from 'react';
+
+import { useRoute } from '@react-navigation/core';
+import { useIntl } from 'react-intl';
+
+import { SizableText } from '@onekeyhq/components';
+import { EKeylessFinalizeAction } from '@onekeyhq/shared/src/keylessWallet/keylessWalletConsts';
+import { ETranslations } from '@onekeyhq/shared/src/locale/enum/translations';
+import type { IOnboardingParamListV2 } from '@onekeyhq/shared/src/routes';
+import { EOnboardingPagesV2 } from '@onekeyhq/shared/src/routes';
+import { EAccountSelectorSceneName } from '@onekeyhq/shared/types';
+
+import { AccountSelectorProviderMirror } from '../../../components/AccountSelector/AccountSelectorProvider';
+import { useKeylessWallet } from '../../../components/KeylessWallet/useKeylessWallet';
+import useAppNavigation from '../../../hooks/useAppNavigation';
+import { PinInputLayout } from '../components/PinInputLayout';
+
+import type { RouteProp } from '@react-navigation/core';
+
+function CreatePinPage() {
+  const navigation = useAppNavigation();
+  const route =
+    useRoute<RouteProp<IOnboardingParamListV2, EOnboardingPagesV2.CreatePin>>();
+  const { action } = route.params ?? {};
+  const isResetPin = action === EKeylessFinalizeAction.ResetPin;
+  const { cacheKeylessOnboardingPin } = useKeylessWallet();
+
+  const intl = useIntl();
+  const [pin, setPin] = useState('');
+
+  const handleContinue = useCallback(async () => {
+    if (pin) {
+      await cacheKeylessOnboardingPin({ pin });
+      setPin('');
+      navigation.push(EOnboardingPagesV2.ConfirmPin, { action });
+    }
+  }, [action, cacheKeylessOnboardingPin, navigation, pin]);
+
+  const highlightDescription = useCallback(
+    (chunks: React.ReactNode) => (
+      <SizableText size="$bodyLg" color="$textCaution">
+        {chunks}
+      </SizableText>
+    ),
+    [],
+  );
+
+  return (
+    <PinInputLayout
+      title={
+        isResetPin
+          ? 'Create a new PIN'
+          : intl.formatMessage({ id: ETranslations.create_a_pin })
+      }
+      description={intl.formatMessage(
+        { id: ETranslations.create_a_pin_desc },
+        {
+          highlight: highlightDescription,
+        },
+      )}
+      buttonText={intl.formatMessage({ id: ETranslations.global_continue })}
+      value={pin}
+      onChange={setPin}
+      onSubmit={handleContinue}
+      isSubmitDisabled={pin.length !== 4}
+    />
+  );
+}
+
+function CreatePinPageWithContext() {
+  return (
+    <AccountSelectorProviderMirror
+      enabledNum={[0]}
+      config={{
+        sceneName: EAccountSelectorSceneName.home,
+      }}
+    >
+      <CreatePinPage />
+    </AccountSelectorProviderMirror>
+  );
+}
+
+export { CreatePinPageWithContext as default };
diff --git a/packages/kit/src/views/Onboardingv2/pages/FinalizeWalletSetup.tsx b/packages/kit/src/views/Onboardingv2/pages/FinalizeWalletSetup.tsx
index eb8957b9472a..608d668d94ab 100644
--- a/packages/kit/src/views/Onboardingv2/pages/FinalizeWalletSetup.tsx
+++ b/packages/kit/src/views/Onboardingv2/pages/FinalizeWalletSetup.tsx
@@ -178,6 +178,8 @@ function FinalizeWalletSetupPage({
   const deviceData = route?.params?.deviceData;
   const isFirmwareVerified = route?.params?.isFirmwareVerified;
   const isWalletBackedUp = route?.params?.isWalletBackedUp;
+  const isKeylessWallet = route?.params?.isKeylessWallet;
+  const keylessDetailsInfo = route?.params?.keylessDetailsInfo;
 
   const initialStep = EFinalizeWalletSetupSteps.CreatingWallet;
 
@@ -305,6 +307,8 @@ function FinalizeWalletSetupPage({
             await actions.current.createHDWallet({
               mnemonic,
               isWalletBackedUp,
+              isKeylessWallet,
+              keylessDetailsInfo,
             });
           },
         });
@@ -342,13 +346,15 @@ function FinalizeWalletSetupPage({
     mnemonic,
     deviceData,
     isFirmwareVerified,
+    keylessPackSetId,
     mnemonicType,
     actions,
     isWalletBackedUp,
+    isKeylessWallet,
+    keylessDetailsInfo,
     goNextStep,
     connectDevice,
     createHWWallet,
-    keylessPackSetId,
   ]);
 
   useEffect(() => {
diff --git a/packages/kit/src/views/Onboardingv2/pages/GetStarted.tsx b/packages/kit/src/views/Onboardingv2/pages/GetStarted.tsx
index 6dc595812144..6d98fde8719c 100644
--- a/packages/kit/src/views/Onboardingv2/pages/GetStarted.tsx
+++ b/packages/kit/src/views/Onboardingv2/pages/GetStarted.tsx
@@ -1,4 +1,4 @@
-import { memo, useEffect, useMemo, useState } from 'react';
+import { memo, useCallback, useEffect, useMemo, useState } from 'react';
 
 import { EDeviceType } from '@onekeyfe/hd-shared';
 import { MotiView } from 'moti';
@@ -14,26 +14,34 @@ import Svg, {
 
 import type { IYStackProps } from '@onekeyhq/components';
 import {
+  AnimatePresence,
   BlurView,
   Button,
   DecorativeOneKeyLogo,
   Icon,
   Page,
   SizableText,
+  Spinner,
   Stack,
   XStack,
   YStack,
   useMedia,
   useTheme,
 } from '@onekeyhq/components';
-import { useKeylessWalletFeatureIsEnabled } from '@onekeyhq/kit/src/components/KeylessWallet/useKeylessWallet';
+import {
+  useKeylessWallet,
+  useKeylessWalletFeatureIsEnabled,
+} from '@onekeyhq/kit/src/components/KeylessWallet/useKeylessWallet';
 import useAppNavigation from '@onekeyhq/kit/src/hooks/useAppNavigation';
+import { EOAuthSocialLoginProvider } from '@onekeyhq/shared/src/consts/authConsts';
 import { ETranslations } from '@onekeyhq/shared/src/locale';
 import { defaultLogger } from '@onekeyhq/shared/src/logger/logger';
 import platformEnv from '@onekeyhq/shared/src/platformEnv';
 import { EOnboardingPagesV2 } from '@onekeyhq/shared/src/routes';
 import type { HwWalletAvatarImages } from '@onekeyhq/shared/src/utils/avatarUtils';
+import { EAccountSelectorSceneName } from '@onekeyhq/shared/types';
 
+import { AccountSelectorProviderMirror } from '../../../components/AccountSelector';
 import { WalletAvatar } from '../../../components/WalletAvatar';
 import { useThemeVariant } from '../../../hooks/useThemeVariant';
 import { TermsAndPrivacy } from '../../Onboarding/pages/GetStarted/components';
@@ -299,7 +307,7 @@ export const AnimatedDeviceAvatar = memo(
 
 AnimatedDeviceAvatar.displayName = 'AnimatedDeviceAvatar';
 
-export default function GetStarted() {
+function GetStarted() {
   const navigation = useAppNavigation();
   const handleGetStarted = () => {
     navigation.push(EOnboardingPagesV2.PickYourDevice);
@@ -308,11 +316,20 @@ export default function GetStarted() {
   const { gtMd } = useMedia();
   const intl = useIntl();
   const isKeylessWalletEnabled = useKeylessWalletFeatureIsEnabled();
+  const { enableKeylessWalletLoading, checkKeylessWalletLocalExistence } =
+    useKeylessWallet();
 
   const handleCreateOrImportWallet = () => {
     navigation.push(EOnboardingPagesV2.CreateOrImportWallet);
   };
 
+  const handleGoogleLogin = useCallback(async () => {
+    await checkKeylessWalletLocalExistence({
+      signInProvider: EOAuthSocialLoginProvider.Google,
+    });
+  }, [checkKeylessWalletLocalExistence]);
+
+  // Cache theme values to avoid multiple useThemeValue calls during render
   const theme = useTheme();
   const neutral6 = theme.neutral6.val;
   const bgColor = theme.bgApp.val;
@@ -404,7 +421,7 @@ export default function GetStarted() {
                 </GridItem>
               </YStack>
             </YStack>
-            <YStack gap={56} justifyContent="center" alignItems="center">
+            <YStack gap={44} justifyContent="center" alignItems="center">
               <DecorativeOneKeyLogo />
               <Stack gap="$4" minWidth="$80" zIndex={1}>
                 <Button
@@ -432,12 +449,41 @@ export default function GetStarted() {
                       pressStyle={{ bg: '$gray5' }}
                       size="large"
                       childrenAsText={false}
-                      onPress={handleCreateOrImportWallet}
+                      onPress={
+                        enableKeylessWalletLoading
+                          ? undefined
+                          : handleGoogleLogin
+                      }
                     >
                       <XStack gap="$2" alignItems="center">
-                        <Icon name="GoogleIllus" size="$5" />
+                        <AnimatePresence exitBeforeEnter initial={false}>
+                          {enableKeylessWalletLoading ? (
+                            <YStack
+                              key="loading"
+                              animation="quick"
+                              animateOnly={['transform', 'opacity']}
+                              enterStyle={{ scale: 0.7, opacity: 0 }}
+                              exitStyle={{ scale: 0.7, opacity: 0 }}
+                            >
+                              <Spinner size="small" />
+                            </YStack>
+                          ) : (
+                            <YStack
+                              key="icon"
+                              animation="quick"
+                              animateOnly={['transform', 'opacity']}
+                              enterStyle={{ scale: 0.7, opacity: 0 }}
+                              exitStyle={{ scale: 0.7, opacity: 0 }}
+                            >
+                              <Icon name="GoogleIllus" size="$5" />
+                            </YStack>
+                          )}
+                        </AnimatePresence>
                         <SizableText size="$bodyLgMedium">
-                          Continue with Google
+                          {intl.formatMessage(
+                            { id: ETranslations.continue_with_social_platform },
+                            { platform: 'Google' },
+                          )}
                         </SizableText>
                       </XStack>
                     </Button>
@@ -483,3 +529,17 @@ export default function GetStarted() {
     </Page>
   );
 }
+
+function GetStartedWithContext() {
+  return (
+    <AccountSelectorProviderMirror
+      enabledNum={[0]}
+      config={{
+        sceneName: EAccountSelectorSceneName.home,
+      }}
+    >
+      <GetStarted />
+    </AccountSelectorProviderMirror>
+  );
+}
+export default GetStartedWithContext;
diff --git a/packages/kit/src/views/Onboardingv2/pages/KeylessOnboardingDebugPanel.tsx b/packages/kit/src/views/Onboardingv2/pages/KeylessOnboardingDebugPanel.tsx
new file mode 100644
index 000000000000..84e0291a60c9
--- /dev/null
+++ b/packages/kit/src/views/Onboardingv2/pages/KeylessOnboardingDebugPanel.tsx
@@ -0,0 +1,110 @@
+import { useCallback } from 'react';
+
+import {
+  Button,
+  Checkbox,
+  Dialog,
+  Input,
+  Toast,
+  YStack,
+} from '@onekeyhq/components';
+
+import backgroundApiProxy from '../../../background/instance/backgroundApiProxy';
+import { useKeylessWallet } from '../../../components/KeylessWallet/useKeylessWallet';
+import { MultipleClickStack } from '../../../components/MultipleClickStack';
+import useAppNavigation from '../../../hooks/useAppNavigation';
+
+export function KeylessOnboardingDebugPanel({
+  isResetMode,
+  onResetModeChange,
+}: {
+  isResetMode?: boolean;
+  onResetModeChange?: (val: boolean) => void;
+}) {
+  const navigation = useAppNavigation();
+  const { cacheKeylessOnboardingCustomMnemonic } = useKeylessWallet();
+
+  const handleImportCustomMnemonic = useCallback(() => {
+    Dialog.confirm({
+      title: 'Custom Mnemonic',
+      renderContent: (
+        <Dialog.Form
+          formProps={{
+            defaultValues: { mnemonic: '' },
+          }}
+        >
+          <Dialog.FormField
+            name="mnemonic"
+            rules={{
+              required: {
+                value: true,
+                message: 'Mnemonic is required',
+              },
+            }}
+          >
+            <Input
+              autoFocus
+              flex={1}
+              placeholder="Enter your custom mnemonic phrase"
+              secureTextEntry
+            />
+          </Dialog.FormField>
+        </Dialog.Form>
+      ),
+      onConfirm: async (dialogInstance) => {
+        const form = dialogInstance.getForm();
+        if (!form) {
+          return;
+        }
+        const { mnemonic } = form.getValues() as { mnemonic: string };
+        if (!mnemonic?.trim()) {
+          return;
+        }
+
+        await cacheKeylessOnboardingCustomMnemonic({
+          customMnemonic: mnemonic.trim(),
+        });
+
+        Toast.success({
+          title: 'Custom mnemonic saved.',
+        });
+      },
+    });
+  }, [cacheKeylessOnboardingCustomMnemonic]);
+
+  return (
+    <YStack>
+      <MultipleClickStack
+        h="$10"
+        w="100%"
+        showDevBgColor
+        debugComponent={
+          <YStack gap="$2" py="$4">
+            <Checkbox
+              label="重置云端无私钥钱包（先勾选，再登录 Google 或 Apple 生效）"
+              value={isResetMode}
+              onChange={(checked) => {
+                onResetModeChange?.(!!checked);
+              }}
+            />
+
+            <Button
+              onPress={async () => {
+                await backgroundApiProxy.servicePassword.clearCachedPassword();
+                Toast.success({
+                  title: '已清空内存密码',
+                });
+              }}
+            >
+              清空内存密码
+            </Button>
+
+            <Button onPress={handleImportCustomMnemonic}>
+              自定义助记词创建钱包
+            </Button>
+          </YStack>
+        }
+      />
+    </YStack>
+  );
+}
diff --git a/packages/kit/src/views/Onboardingv2/pages/NewPinCreatedPage.tsx b/packages/kit/src/views/Onboardingv2/pages/NewPinCreatedPage.tsx
new file mode 100644
index 000000000000..bd50c3dfeacf
--- /dev/null
+++ b/packages/kit/src/views/Onboardingv2/pages/NewPinCreatedPage.tsx
@@ -0,0 +1,64 @@
+import { useCallback, useEffect } from 'react';
+
+import { useIntl } from 'react-intl';
+
+import { Button, Icon, Page, SizableText, YStack } from '@onekeyhq/components';
+import { ETranslations } from '@onekeyhq/shared/src/locale';
+
+import useAppNavigation from '../../../hooks/useAppNavigation';
+import { OnboardingLayout } from '../components/OnboardingLayout';
+
+function NewPinCreatedPage() {
+  const navigation = useAppNavigation();
+  const intl = useIntl();
+
+  const handleClose = useCallback(() => {
+    // Exit the entire onboarding flow
+    navigation.popStack();
+  }, [navigation]);
+
+  // Close this page 5s later automatically
+  useEffect(() => {
+    const timer = setTimeout(() => {
+      handleClose();
+    }, 5000);
+
+    return () => clearTimeout(timer);
+  }, [handleClose]);
+
+  return (
+    <Page>
+      <OnboardingLayout>
+        <OnboardingLayout.Header showBackButton={false} />
+        <OnboardingLayout.Body constrained={false} scrollable={false}>
+          <OnboardingLayout.ConstrainedContent gap="$10">
+            <YStack gap="$2">
+              <YStack
+                p="$5"
+                bg="$bgSuccessStrong"
+                borderRadius="$full"
+                alignSelf="flex-start"
+                mb="$5"
+              >
+                <Icon name="CheckmarkSolid" color="$iconOnColor" />
+              </YStack>
+              <SizableText size="$heading2xl">
+                {intl.formatMessage({ id: ETranslations.new_pin_created })}
+              </SizableText>
+              <SizableText size="$bodyLg" color="$textSubdued">
+                {intl.formatMessage({
+                  id: ETranslations.new_pin_created_desc,
+                })}
+              </SizableText>
+            </YStack>
+            <Button size="large" onPress={handleClose}>
+              {intl.formatMessage({ id: ETranslations.global_close })}
+            </Button>
+          </OnboardingLayout.ConstrainedContent>
+        </OnboardingLayout.Body>
+      </OnboardingLayout>
+    </Page>
+  );
+}
+
+export { NewPinCreatedPage as default };
diff --git a/packages/kit/src/views/Onboardingv2/pages/OneKeyIDLoginPage.tsx b/packages/kit/src/views/Onboardingv2/pages/OneKeyIDLoginPage.tsx
new file mode 100644
index 000000000000..43b8f9b11210
--- /dev/null
+++ b/packages/kit/src/views/Onboardingv2/pages/OneKeyIDLoginPage.tsx
@@ -0,0 +1,252 @@
+import { useCallback, useRef, useState } from 'react';
+
+import { useIntl } from 'react-intl';
+import { StyleSheet } from 'react-native';
+
+import type { IIconProps, IKeyOfIcons } from '@onekeyhq/components';
+import {
+  Anchor,
+  AnimatePresence,
+  Dialog,
+  Icon,
+  Page,
+  SizableText,
+  Spinner,
+  Toast,
+  YStack,
+} from '@onekeyhq/components';
+import { EOAuthSocialLoginProvider } from '@onekeyhq/shared/src/consts/authConsts';
+import { ETranslations } from '@onekeyhq/shared/src/locale/enum/translations';
+import type {
+  EOnboardingPagesV2,
+  EOnboardingV2OneKeyIDLoginMode,
+  IOnboardingParamListV2,
+} from '@onekeyhq/shared/src/routes';
+import { EAccountSelectorSceneName } from '@onekeyhq/shared/types';
+
+import backgroundApiProxy from '../../../background/instance/backgroundApiProxy';
+import { AccountSelectorProviderMirror } from '../../../components/AccountSelector/AccountSelectorProvider';
+import { useKeylessWallet } from '../../../components/KeylessWallet/useKeylessWallet';
+import { ListItem } from '../../../components/ListItem';
+import { useOneKeyAuth } from '../../../components/OneKeyAuth/useOneKeyAuth';
+import useAppNavigation from '../../../hooks/useAppNavigation';
+import { useAppRoute } from '../../../hooks/useAppRoute';
+import { OnboardingLayout } from '../components/OnboardingLayout';
+
+import { KeylessOnboardingDebugPanel } from './KeylessOnboardingDebugPanel';
+
+function OptionItem({
+  icon,
+  iconProps,
+  title,
+  isLoading,
+  onPress,
+}: {
+  icon: IKeyOfIcons;
+  iconProps?: IIconProps;
+  title: string;
+  isLoading?: boolean;
+  onPress?: () => void;
+}) {
+  return (
+    <ListItem
+      gap="$3"
+      bg="$bg"
+      $platform-web={{
+        boxShadow:
+          '0 0 0 1px rgba(0, 0, 0, 0.04), 0 0 2px 0 rgba(0, 0, 0, 0.08), 0 1px 2px 0 rgba(0, 0, 0, 0.06)',
+      }}
+      $theme-dark={{
+        bg: '$neutral2',
+        borderWidth: StyleSheet.hairlineWidth,
+        borderColor: '$neutral3',
+      }}
+      $platform-native={{
+        borderWidth: StyleSheet.hairlineWidth,
+        borderColor: '$borderSubdued',
+      }}
+      borderRadius="$5"
+      borderCurve="continuous"
+      p="$3"
+      m="$0"
+      onPress={onPress}
+      userSelect="none"
+    >
+      <YStack
+        borderRadius="$full"
+        bg="$neutral2"
+        borderWidth={StyleSheet.hairlineWidth}
+        borderColor="$neutral2"
+        p="$2"
+      >
+        <Icon name={icon} {...iconProps} />
+      </YStack>
+      <YStack gap={2} flex={1}>
+        <SizableText size="$bodyLgMedium">{title}</SizableText>
+      </YStack>
+      <YStack w="$6" h="$6" alignItems="center" justifyContent="center">
+        <AnimatePresence initial={false} exitBeforeEnter>
+          {isLoading ? (
+            <YStack
+              key="loading-spinner"
+              animation="quick"
+              animateOnly={['transform', 'opacity']}
+              enterStyle={{ scale: 0.7, opacity: 0 }}
+              exitStyle={{ scale: 0.7, opacity: 0 }}
+            >
+              <Spinner size="small" />
+            </YStack>
+          ) : (
+            <YStack
+              key="chevron-right"
+              animation="quick"
+              enterStyle={{ scale: 0.7, opacity: 0 }}
+              exitStyle={{ scale: 0.7, opacity: 0 }}
+            >
+              <Icon name="ChevronRightSmallOutline" color="$iconDisabled" />
+            </YStack>
+          )}
+        </AnimatePresence>
+      </YStack>
+    </ListItem>
+  );
+}
+
+function OneKeyIDLoginPage() {
+  const navigation = useAppNavigation();
+  const [loggingInProvider, setLoggingInProvider] =
+    useState<EOAuthSocialLoginProvider | null>(null);
+  const [isResetMode, setIsResetMode] = useState(false);
+  const route = useAppRoute<
+    IOnboardingParamListV2,
+    EOnboardingPagesV2.OneKeyIDLogin
+  >();
+  const loggingInProviderRef = useRef<EOAuthSocialLoginProvider | null>(null);
+  loggingInProviderRef.current = loggingInProvider;
+  const mode: EOnboardingV2OneKeyIDLoginMode | undefined = route?.params?.mode;
+  const intl = useIntl();
+
+  const { logout, signInWithSocialLogin } = useOneKeyAuth();
+  const { checkKeylessWalletCreatedOnServer } = useKeylessWallet();
+
+  const handleSocialLogin = useCallback(
+    async (provider: EOAuthSocialLoginProvider) => {
+      if (loggingInProviderRef.current) {
+        return;
+      }
+      try {
+        setLoggingInProvider(provider);
+        const result = await signInWithSocialLogin(provider);
+        if (result?.session?.accessToken) {
+          if (isResetMode) {
+            await backgroundApiProxy.serviceKeylessWallet.apiResetKeylessBackendShare(
+              {
+                token: result.session.accessToken,
+              },
+            );
+            Toast.success({
+              title: 'Reset Success',
+            });
+            setIsResetMode(false);
+          } else {
+            await checkKeylessWalletCreatedOnServer({
+              token: result.session.accessToken,
+              refreshToken: result.session.refreshToken,
+              mode,
+            });
+          }
+        }
+      } finally {
+        setLoggingInProvider(null);
+      }
+    },
+    [
+      checkKeylessWalletCreatedOnServer,
+      isResetMode,
+      mode,
+      signInWithSocialLogin,
+    ],
+  );
+
+  const handleGoogleLogin = useCallback(async () => {
+    await handleSocialLogin(EOAuthSocialLoginProvider.Google);
+  }, [handleSocialLogin]);
+
+  const handleAppleLogin = useCallback(async () => {
+    await handleSocialLogin(EOAuthSocialLoginProvider.Apple);
+  }, [handleSocialLogin]);
+
+  return (
+    <Page>
+      <OnboardingLayout>
+        <OnboardingLayout.Header />
+        <OnboardingLayout.Body constrained={false} scrollable={false}>
+          <OnboardingLayout.ConstrainedContent gap="$10">
+            <YStack gap="$2">
+              <SizableText size="$heading3xl">
+                {intl.formatMessage({ id: ETranslations.select_your_email })}
+              </SizableText>
+              <SizableText size="$bodyLg" color="$textSubdued">
+                {intl.formatMessage({
+                  id: ETranslations.select_your_email_desc,
+                })}
+              </SizableText>
+            </YStack>
+            <YStack gap="$3">
+              <OptionItem
+                icon="GoogleIllus"
+                title="Google"
+                onPress={handleGoogleLogin}
+                isLoading={
+                  loggingInProvider === EOAuthSocialLoginProvider.Google
+                }
+              />
+              <OptionItem
+                icon="AppleBrand"
+                title="Apple"
+                iconProps={{
+                  color: '$iconActive',
+                  y: -1,
+                }}
+                onPress={handleAppleLogin}
+                isLoading={
+                  loggingInProvider === EOAuthSocialLoginProvider.Apple
+                }
+              />
+            </YStack>
+            <KeylessOnboardingDebugPanel
+              isResetMode={isResetMode}
+              onResetModeChange={setIsResetMode}
+            />
+          </OnboardingLayout.ConstrainedContent>
+        </OnboardingLayout.Body>
+        <OnboardingLayout.Footer>
+          <Anchor
+            href="https://help.onekey.so/articles/11461088"
+            target="_blank"
+            size="$bodySm"
+            color="$textSubdued"
+            textAlign="center"
+          >
+            TODO — Link to "How to create wallet with Apple or Google account"
+          </Anchor>
+        </OnboardingLayout.Footer>
+      </OnboardingLayout>
+    </Page>
+  );
+}
+
+function OneKeyIDLoginPageWithContext() {
+  return (
+    <AccountSelectorProviderMirror
+      enabledNum={[0]}
+      config={{
+        sceneName: EAccountSelectorSceneName.home,
+      }}
+    >
+      <OneKeyIDLoginPage />
+    </AccountSelectorProviderMirror>
+  );
+}
+
+export { OneKeyIDLoginPageWithContext as default };
diff --git a/packages/kit/src/views/Onboardingv2/pages/ResetPinPage.tsx b/packages/kit/src/views/Onboardingv2/pages/ResetPinPage.tsx
new file mode 100644
index 000000000000..1422faafa5f6
--- /dev/null
+++ b/packages/kit/src/views/Onboardingv2/pages/ResetPinPage.tsx
@@ -0,0 +1,124 @@
+import { useCallback } from 'react';
+
+import { useIntl } from 'react-intl';
+
+import {
+  Button,
+  Page,
+  SizableText,
+  XStack,
+  YStack,
+  useMedia,
+} from '@onekeyhq/components';
+import { ETranslations } from '@onekeyhq/shared/src/locale';
+
+import useAppNavigation from '../../../hooks/useAppNavigation';
+import { OnboardingLayout } from '../components/OnboardingLayout';
+
+function ResetPinPage() {
+  const intl = useIntl();
+  const navigation = useAppNavigation();
+  const { gtMd } = useMedia();
+  const handleDone = useCallback(() => {
+    navigation.pop();
+  }, [navigation]);
+
+  const STEPS = [
+    {
+      title: intl.formatMessage({
+        id: ETranslations.reset_pin_open_other_device,
+      }),
+      description: intl.formatMessage({
+        id: ETranslations.reset_pin_open_other_device_desc,
+      }),
+    },
+    {
+      title: intl.formatMessage({
+        id: ETranslations.reset_pin_go_to_settings,
+      }),
+      description: intl.formatMessage({
+        id: ETranslations.reset_pin_go_to_settings_desc,
+      }),
+    },
+    {
+      title: intl.formatMessage({
+        id: ETranslations.reset_pin_set_your_new_pin,
+      }),
+      description: intl.formatMessage({
+        id: ETranslations.reset_pin_set_your_new_pin_desc,
+      }),
+    },
+  ];
+
+  return (
+    <Page>
+      <OnboardingLayout>
+        <OnboardingLayout.Header />
+        <OnboardingLayout.Body constrained={false} scrollable={false}>
+          <OnboardingLayout.ConstrainedContent gap="$10">
+            <YStack gap="$2">
+              <SizableText size="$heading2xl">
+                {intl.formatMessage({
+                  id: ETranslations.reset_pin_using_another_device,
+                })}
+              </SizableText>
+              <SizableText size="$bodyLg" color="$textSubdued">
+                {intl.formatMessage({
+                  id: ETranslations.reset_pin_using_another_device_desc,
+                })}
+              </SizableText>
+            </YStack>
+            <YStack gap="$6">
+              {STEPS.map((step, index) => (
+                <XStack gap="$3" key={step.title}>
+                  <YStack
+                    bg="$bgInfo"
+                    w="$6"
+                    h="$6"
+                    alignItems="center"
+                    justifyContent="center"
+                    borderRadius="$full"
+                  >
+                    <SizableText size="$bodyMd" color="$textInfo">
+                      {index + 1}
+                    </SizableText>
+                  </YStack>
+                  <YStack gap="$1" flex={1}>
+                    <SizableText size="$bodyLgMedium">{step.title}</SizableText>
+                    <SizableText size="$bodyMd" color="$textSubdued">
+                      {step.description}
+                    </SizableText>
+                  </YStack>
+                </XStack>
+              ))}
+
+              {gtMd ? (
+                <Button size="large" variant="primary" onPress={handleDone}>
+                  {intl.formatMessage({
+                    id: ETranslations.i_have_done_these_steps,
+                  })}
+                </Button>
+              ) : null}
+            </YStack>
+          </OnboardingLayout.ConstrainedContent>
+        </OnboardingLayout.Body>
+        {!gtMd ? (
+          <OnboardingLayout.Footer>
+            <Button
+              size="large"
+              w="100%"
+              variant="primary"
+              onPress={handleDone}
+            >
+              {intl.formatMessage({
+                id: ETranslations.i_have_done_these_steps,
+              })}
+            </Button>
+          </OnboardingLayout.Footer>
+        ) : null}
+      </OnboardingLayout>
+    </Page>
+  );
+}
+
+export { ResetPinPage as default };
diff --git a/packages/kit/src/views/Onboardingv2/pages/VerifyPinPage.tsx b/packages/kit/src/views/Onboardingv2/pages/VerifyPinPage.tsx
new file mode 100644
index 000000000000..0a2521d15087
--- /dev/null
+++ b/packages/kit/src/views/Onboardingv2/pages/VerifyPinPage.tsx
@@ -0,0 +1,295 @@
+import { useCallback, useEffect, useMemo, useRef, useState } from 'react';
+
+import { useRoute } from '@react-navigation/core';
+import { useIntl } from 'react-intl';
+
+import { ETranslations } from '@onekeyhq/shared/src/locale';
+import platformEnv from '@onekeyhq/shared/src/platformEnv';
+import type { IOnboardingParamListV2 } from '@onekeyhq/shared/src/routes';
+import {
+  EOnboardingPagesV2,
+  EOnboardingV2OneKeyIDLoginMode,
+} from '@onekeyhq/shared/src/routes';
+import { EAccountSelectorSceneName } from '@onekeyhq/shared/types';
+
+import { AccountSelectorProviderMirror } from '../../../components/AccountSelector/AccountSelectorProvider';
+import { useKeylessWallet } from '../../../components/KeylessWallet/useKeylessWallet';
+import useAppNavigation from '../../../hooks/useAppNavigation';
+import {
+  type IPinInputLayoutRef,
+  PinInputLayout,
+} from '../components/PinInputLayout';
+
+import type { RouteProp } from '@react-navigation/core';
+
+const MAX_ATTEMPTS = 7;
+
+// Cooldown times based on attempt number (in seconds)
+// Attempt 1: 0, Attempt 2: 30s, Attempt 3: 60s, Attempt 4: 120s, Attempt 5-6: 300s
+const COOLDOWN_BY_ATTEMPT: Record<number, number> = {
+  1: 0, // First attempt: no cooldown
+  2: 30, // 0.5 min
+  3: 60, // 1 min
+  4: 120, // 2 min
+  5: 300, // 5 min
+  6: 300, // 5 min
+};
+
+function VerifyPinPage() {
+  const intl = useIntl();
+  const navigation = useAppNavigation();
+  const route =
+    useRoute<RouteProp<IOnboardingParamListV2, EOnboardingPagesV2.VerifyPin>>();
+  const { mode } = route.params ?? {};
+  const { verifyKeylessOnboardingPin } = useKeylessWallet();
+  const [isLoading, setIsLoading] = useState(false);
+  const pinInputRef = useRef<IPinInputLayoutRef | null>(null);
+
+  const isVerifyPinOnly =
+    mode === EOnboardingV2OneKeyIDLoginMode.KeylessVerifyPinOnly;
+  // Social login mode: when mode is not VerifyPinOnly (or no mode specified)
+  const isSocialLogin = !isVerifyPinOnly;
+
+  const [pin, setPin] = useState('');
+  const [errorMessage, setErrorMessage] = useState('');
+  const [attemptsRemaining, setAttemptsRemaining] = useState(MAX_ATTEMPTS);
+  const [cooldownSeconds, setCooldownSeconds] = useState(0);
+  const [showAttemptError, setShowAttemptError] = useState(false);
+  const cooldownTimerRef = useRef<ReturnType<typeof setInterval> | null>(null);
+
+  const isInputDisabled = isSocialLogin && cooldownSeconds > 0;
+
+  const { title, description } = useMemo(() => {
+    if (isSocialLogin) {
+      return {
+        title: intl.formatMessage({ id: ETranslations.enter_your_pin }),
+        description: intl.formatMessage({
+          id: ETranslations.enter_your_pin_desc,
+        }),
+      };
+    }
+    return {
+      title: intl.formatMessage({ id: ETranslations.remember_your_pin }),
+      description: intl.formatMessage({
+        id: ETranslations.remember_your_pin_desc,
+      }),
+    };
+  }, [isSocialLogin, intl]);
+
+  // Clear cooldown timer on unmount
+  useEffect(() => {
+    return () => {
+      if (cooldownTimerRef.current) {
+        clearInterval(cooldownTimerRef.current);
+      }
+    };
+  }, []);
+
+  const startCooldown = useCallback(
+    (seconds: number) => {
+      if (seconds <= 0) {
+        return;
+      }
+      setCooldownSeconds(seconds);
+      setPin('');
+      // Focus the input after clearing PIN
+      setTimeout(
+        () => {
+          if (pinInputRef.current) {
+            // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access
+            pinInputRef.current.focus();
+          }
+        },
+        platformEnv.isNative ? 100 : 50,
+      );
+
+      cooldownTimerRef.current = setInterval(() => {
+        setCooldownSeconds((prev) => {
+          if (prev <= 1) {
+            if (cooldownTimerRef.current) {
+              clearInterval(cooldownTimerRef.current);
+              cooldownTimerRef.current = null;
+            }
+            return 0;
+          }
+          return prev - 1;
+        });
+      }, 1000);
+    },
+    [pinInputRef],
+  );
+
+  const formatCooldownTime = useCallback((seconds: number) => {
+    const mins = Math.floor(seconds / 60);
+    const secs = seconds % 60;
+    return `${mins}:${secs.toString().padStart(2, '0')}`;
+  }, []);
+
+  const handlePinChange = useCallback(
+    (filteredText: string) => {
+      if (isInputDisabled) {
+        return;
+      }
+      setPin(filteredText);
+      setErrorMessage('');
+      setShowAttemptError(false);
+    },
+    [isInputDisabled],
+  );
+
+  const handleVerify = useCallback(async () => {
+    try {
+      setIsLoading(true);
+      await verifyKeylessOnboardingPin({ pin, mode });
+    } finally {
+      setIsLoading(false);
+      setPin('');
+      // Focus the input after clearing PIN
+      setTimeout(
+        () => {
+          if (pinInputRef.current) {
+            // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access
+            pinInputRef.current.focus();
+          }
+        },
+        platformEnv.isNative ? 100 : 50,
+      );
+    }
+  }, [pin, mode, pinInputRef, verifyKeylessOnboardingPin]);
+
+  const _handleVerifyLegacy = useCallback(() => {
+    // TODO: Verify against actual stored PIN on server
+    const isCorrect = false; // Mock: always fail for testing
+
+    if (isCorrect) {
+      if (isSocialLogin) {
+        navigation.push(EOnboardingPagesV2.CreatePasscode);
+      } else {
+        // For periodic verification, just go back
+        navigation.pop();
+      }
+    } else {
+      setPin('');
+      // Focus the input after clearing PIN
+      setTimeout(
+        () => {
+          if (pinInputRef.current) {
+            // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access
+            pinInputRef.current.focus();
+          }
+        },
+        platformEnv.isNative ? 100 : 50,
+      );
+
+      if (isSocialLogin) {
+        // Social login: apply retry mechanism with cooldown
+        const newAttemptsRemaining = attemptsRemaining - 1;
+        const attemptNumber = MAX_ATTEMPTS - newAttemptsRemaining;
+
+        setAttemptsRemaining(newAttemptsRemaining);
+        setShowAttemptError(true);
+
+        if (newAttemptsRemaining <= 0) {
+          // Max attempts reached - redirect to reset PIN page
+          navigation.replace(EOnboardingPagesV2.ResetPin);
+        } else {
+          // Get cooldown time for this attempt
+          const cooldownTime = COOLDOWN_BY_ATTEMPT[attemptNumber] || 0;
+          if (cooldownTime > 0) {
+            startCooldown(cooldownTime);
+          }
+        }
+      } else {
+        // Periodic verification: simple error message, no retry mechanism
+        setErrorMessage(
+          intl.formatMessage({ id: ETranslations.incorrect_pin }),
+        );
+      }
+    }
+  }, [
+    attemptsRemaining,
+    intl,
+    isSocialLogin,
+    navigation,
+    pinInputRef,
+    startCooldown,
+  ]);
+
+  const handleForgotPin = useCallback(() => {
+    if (isSocialLogin) {
+      navigation.push(EOnboardingPagesV2.ResetPin);
+    } else {
+      navigation.push(EOnboardingPagesV2.CreatePin, { isResetPin: true });
+    }
+  }, [isSocialLogin, navigation]);
+
+  // Build error message based on state
+  const displayErrorMessage = (() => {
+    if (errorMessage) {
+      return errorMessage;
+    }
+    if (
+      isSocialLogin &&
+      showAttemptError &&
+      attemptsRemaining < MAX_ATTEMPTS &&
+      attemptsRemaining > 0
+    ) {
+      const baseMessage = intl.formatMessage(
+        {
+          id: ETranslations.pin_attempts_remaining,
+        },
+        {
+          attemptsRemaining,
+        },
+      );
+      if (cooldownSeconds > 0) {
+        return `${baseMessage} ${intl.formatMessage(
+          { id: ETranslations.pin_attempts_cooldown },
+          {
+            seconds: formatCooldownTime(cooldownSeconds),
+          },
+        )}.`;
+      }
+      return baseMessage;
+    }
+    return '';
+  })();
+
+  return (
+    <PinInputLayout
+      ref={pinInputRef}
+      isLoading={isLoading}
+      title={title}
+      placeholder=""
+      description={description}
+      buttonText={intl.formatMessage({ id: ETranslations.global_continue })}
+      secondaryButtonText={
+        isSocialLogin
+          ? intl.formatMessage({ id: ETranslations.forgot_pin })
+          : intl.formatMessage({ id: ETranslations.reset_pin })
+      }
+      onSecondaryButtonPress={handleForgotPin}
+      value={pin}
+      onChange={handlePinChange}
+      onSubmit={handleVerify}
+      isSubmitDisabled={pin.length !== 4 || isInputDisabled}
+      isInputDisabled={isInputDisabled}
+      errorMessage={displayErrorMessage}
+    />
+  );
+}
+
+function VerifyPinPageWithContext() {
+  return (
+    <AccountSelectorProviderMirror
+      enabledNum={[0]}
+      config={{
+        sceneName: EAccountSelectorSceneName.home,
+      }}
+    >
+      <VerifyPinPage />
+    </AccountSelectorProviderMirror>
+  );
+}
+
+export { VerifyPinPageWithContext as default };
diff --git a/packages/kit/src/views/Onboardingv2/router/index.tsx b/packages/kit/src/views/Onboardingv2/router/index.tsx
index 3b2dc17e8078..c1aac682f37e 100644
--- a/packages/kit/src/views/Onboardingv2/router/index.tsx
+++ b/packages/kit/src/views/Onboardingv2/router/index.tsx
@@ -131,6 +131,48 @@ const KeylessWalletCreation = LazyLoadPage(
   false,
   <OnboardingLayoutFallback />,
 );
+const OneKeyIDLogin = LazyLoadPage(
+  () => import('../pages/OneKeyIDLoginPage'),
+  undefined,
+  false,
+  <OnboardingLayoutFallback />,
+);
+const CreatePin = LazyLoadPage(
+  () => import('../pages/CreatePinPage'),
+  undefined,
+  false,
+  <OnboardingLayoutFallback />,
+);
+const ConfirmPin = LazyLoadPage(
+  () => import('../pages/ConfirmPinPage'),
+  undefined,
+  false,
+  <OnboardingLayoutFallback />,
+);
+const CreatePasscode = LazyLoadPage(
+  () => import('../pages/CreatePasscodePage'),
+  undefined,
+  false,
+  <OnboardingLayoutFallback />,
+);
+const VerifyPin = LazyLoadPage(
+  () => import('../pages/VerifyPinPage'),
+  undefined,
+  false,
+  <OnboardingLayoutFallback />,
+);
+const ResetPin = LazyLoadPage(
+  () => import('../pages/ResetPinPage'),
+  undefined,
+  false,
+  <OnboardingLayoutFallback />,
+);
+const NewPinCreated = LazyLoadPage(
+  () => import('../pages/NewPinCreatedPage'),
+  undefined,
+  false,
+  <OnboardingLayoutFallback />,
+);
 
 const MoreAction = LazyLoadPage(
   () => import('../pages/MoreAction'),
@@ -252,6 +294,41 @@ export const OnboardingRouterV2: IModalFlowNavigatorConfig<
     component: KeylessWalletCreation,
     options: hiddenHeaderOptions,
   },
+  {
+    name: EOnboardingPagesV2.OneKeyIDLogin,
+    component: OneKeyIDLogin,
+    options: hiddenHeaderOptions,
+  },
+  {
+    name: EOnboardingPagesV2.CreatePin,
+    component: CreatePin,
+    options: hiddenHeaderOptions,
+  },
+  {
+    name: EOnboardingPagesV2.ConfirmPin,
+    component: ConfirmPin,
+    options: hiddenHeaderOptions,
+  },
+  {
+    name: EOnboardingPagesV2.CreatePasscode,
+    component: CreatePasscode,
+    options: hiddenHeaderOptions,
+  },
+  {
+    name: EOnboardingPagesV2.VerifyPin,
+    component: VerifyPin,
+    options: hiddenHeaderOptions,
+  },
+  {
+    name: EOnboardingPagesV2.ResetPin,
+    component: ResetPin,
+    options: hiddenHeaderOptions,
+  },
+  {
+    name: EOnboardingPagesV2.NewPinCreated,
+    component: NewPinCreated,
+    options: hiddenHeaderOptions,
+  },
   {
     name: EOnboardingPagesV2.MoreAction,
     component: MoreAction,
diff --git a/packages/kit/src/views/Prime/components/OneKeyIDLoginDialog/OneKeyIDLoginContent.tsx b/packages/kit/src/views/Prime/components/OneKeyIDLoginDialog/OneKeyIDLoginContent.tsx
index 81eb6ae58abe..a16367595600 100644
--- a/packages/kit/src/views/Prime/components/OneKeyIDLoginDialog/OneKeyIDLoginContent.tsx
+++ b/packages/kit/src/views/Prime/components/OneKeyIDLoginDialog/OneKeyIDLoginContent.tsx
@@ -3,14 +3,7 @@ import { useCallback } from 'react';
 
 import { useIntl } from 'react-intl';
 
-import {
-  Form,
-  Icon,
-  Input,
-  SizableText,
-  YStack,
-  useForm,
-} from '@onekeyhq/components';
+import { Form, Icon, Input, YStack, useForm } from '@onekeyhq/components';
 import { ListItem } from '@onekeyhq/kit/src/components/ListItem';
 import { ETranslations } from '@onekeyhq/shared/src/locale';
 import platformEnv from '@onekeyhq/shared/src/platformEnv';
@@ -131,10 +124,6 @@ export function OneKeyIDLoginContent({
           />
         </Form.Field>
       </Form>
-      <SizableText mt="$2.5" size="$bodySm" color="$textSubdued">
-        OneKey ID is all you need to access all OneKey services and earn
-        referral rewards.
-      </SizableText>
     </YStack>
   );
 }
diff --git a/packages/kit/src/views/ReferFriends/pages/ReferAFriend/components/ReferAFriendIntroPhase/index.tsx b/packages/kit/src/views/ReferFriends/pages/ReferAFriend/components/ReferAFriendIntroPhase/index.tsx
index 7a40b6bfc47b..11988a78b126 100644
--- a/packages/kit/src/views/ReferFriends/pages/ReferAFriend/components/ReferAFriendIntroPhase/index.tsx
+++ b/packages/kit/src/views/ReferFriends/pages/ReferAFriend/components/ReferAFriendIntroPhase/index.tsx
@@ -58,7 +58,8 @@ export function ReferAFriendIntroPhase({
             {
               amount: (
                 <SizableText
-                  key="reward-amount"
+                  // `react-intl` may return an array of nodes; ensure the element has a stable key.
+                  key="referral_reward_amount"
                   size="$heading2xl"
                   color="$textSuccess"
                 >
diff --git a/packages/kit/src/views/Setting/pages/Tab/SettingListSubModal.tsx b/packages/kit/src/views/Setting/pages/Tab/SettingListSubModal.tsx
index bf1ea92b0aa8..94d276af296c 100644
--- a/packages/kit/src/views/Setting/pages/Tab/SettingListSubModal.tsx
+++ b/packages/kit/src/views/Setting/pages/Tab/SettingListSubModal.tsx
@@ -2,10 +2,12 @@ import { useMemo } from 'react';
 
 import { useRoute } from '@react-navigation/core';
 
+import { AccountSelectorProviderMirror } from '@onekeyhq/kit/src/components/AccountSelector';
 import type {
   EModalSettingRoutes,
   IModalSettingParamList,
 } from '@onekeyhq/shared/src/routes';
+import { EAccountSelectorSceneName } from '@onekeyhq/shared/types';
 
 import { useSettingsConfig } from './config';
 import { SubSettingsPage } from './SubSettingsPage';
@@ -14,7 +16,7 @@ import type { RouteProp } from '@react-navigation/core';
 
 type ISettingName = string;
 
-export default function SettingListSubModal() {
+function SettingListSubModalView() {
   const route =
     useRoute<
       RouteProp<IModalSettingParamList, EModalSettingRoutes.SettingListSubModal>
@@ -32,3 +34,16 @@ export default function SettingListSubModal() {
     />
   );
 }
+
+export default function SettingListSubModal() {
+  return (
+    <AccountSelectorProviderMirror
+      enabledNum={[0]}
+      config={{
+        sceneName: EAccountSelectorSceneName.home,
+      }}
+    >
+      <SettingListSubModalView />
+    </AccountSelectorProviderMirror>
+  );
+}
diff --git a/packages/kit/src/views/Setting/pages/Tab/config.tsx b/packages/kit/src/views/Setting/pages/Tab/config.tsx
index e056f0369810..e22d7743ed48 100644
--- a/packages/kit/src/views/Setting/pages/Tab/config.tsx
+++ b/packages/kit/src/views/Setting/pages/Tab/config.tsx
@@ -11,7 +11,11 @@ import type {
 } from '@onekeyhq/components';
 import { Dialog } from '@onekeyhq/components';
 import backgroundApiProxy from '@onekeyhq/kit/src/background/instance/backgroundApiProxy';
-import { useKeylessWalletFeatureIsEnabled } from '@onekeyhq/kit/src/components/KeylessWallet/useKeylessWallet';
+import {
+  useKeylessWallet,
+  useKeylessWalletExistsLocal,
+  useKeylessWalletFeatureIsEnabled,
+} from '@onekeyhq/kit/src/components/KeylessWallet/useKeylessWallet';
 import { useOneKeyAuth } from '@onekeyhq/kit/src/components/OneKeyAuth/useOneKeyAuth';
 import PasswordUpdateContainer from '@onekeyhq/kit/src/components/Password/container/PasswordUpdateContainer';
 import {
@@ -46,6 +50,10 @@ import {
   EModalKeyTagRoutes,
   EModalRoutes,
   EModalSettingRoutes,
+  EOnboardingPagesV2,
+  EOnboardingV2OneKeyIDLoginMode,
+  EOnboardingV2Routes,
+  ERootRoutes,
 } from '@onekeyhq/shared/src/routes';
 import { EManualBackupRoutes } from '@onekeyhq/shared/src/routes/manualBackup';
 import { EPrimeFeatures, EPrimePages } from '@onekeyhq/shared/src/routes/prime';
@@ -156,6 +164,8 @@ export const useSettingsConfig: () => ISettingsConfig = () => {
   const { cloudBackupFeatureInfo, startBackup } = useCloudBackup();
 
   const isKeylessWalletEnabled = useKeylessWalletFeatureIsEnabled();
+  const isKeylessWalletExistsLocal = useKeylessWalletExistsLocal();
+  const { goToOneKeyIDLoginPageForKeylessWallet } = useKeylessWallet();
 
   return useMemo(
     () => [
@@ -506,6 +516,17 @@ export const useSettingsConfig: () => ISettingsConfig = () => {
                     }
                   },
                 },
+            platformEnv.isWebDappMode || !isKeylessWalletExistsLocal
+              ? undefined
+              : {
+                  icon: 'InputOutline',
+                  title: intl.formatMessage({ id: ETranslations.reset_pin }),
+                  onPress: (navigation) => {
+                    void goToOneKeyIDLoginPageForKeylessWallet({
+                      mode: EOnboardingV2OneKeyIDLoginMode.KeylessResetPin,
+                    });
+                  },
+                },
           ],
           [
             platformEnv.isWebDappMode
@@ -818,6 +839,7 @@ export const useSettingsConfig: () => ISettingsConfig = () => {
     ],
     [
       intl,
+      goToOneKeyIDLoginPageForKeylessWallet,
       cloudBackupFeatureInfo?.supportCloudBackup,
       cloudBackupFeatureInfo?.icon,
       cloudBackupFeatureInfo?.title,
@@ -835,6 +857,7 @@ export const useSettingsConfig: () => ISettingsConfig = () => {
       appUpdateInfo.isNeedUpdate,
       devSettings.enabled,
       isKeylessWalletEnabled,
+      isKeylessWalletExistsLocal,
       startBackup,
       onPressAddressBook,
       helpCenterUrl,
diff --git a/packages/kit/src/views/Setting/pages/Tab/index.tsx b/packages/kit/src/views/Setting/pages/Tab/index.tsx
index 88f7da665913..d55b492ebcca 100644
--- a/packages/kit/src/views/Setting/pages/Tab/index.tsx
+++ b/packages/kit/src/views/Setting/pages/Tab/index.tsx
@@ -20,8 +20,10 @@ import {
   useSafeAreaInsets,
 } from '@onekeyhq/components';
 import { DesktopTabItem } from '@onekeyhq/components/src/layouts/Navigation/Tab/TabBar/DesktopTabItem';
+import { AccountSelectorProviderMirror } from '@onekeyhq/kit/src/components/AccountSelector';
 import useAppNavigation from '@onekeyhq/kit/src/hooks/useAppNavigation';
 import platformEnv from '@onekeyhq/shared/src/platformEnv';
+import { EAccountSelectorSceneName } from '@onekeyhq/shared/types';
 
 import { ESettingsTabNames, useSettingsConfig } from './config';
 import { ConfigContext } from './configContext';
@@ -246,7 +248,16 @@ function SettingTab() {
       });
     }
   }, [appNavigation, isTabNavigator]);
-  return isTabNavigator ? <MemoizedSettingsTabNavigator /> : <SettingList />;
+  return (
+    <AccountSelectorProviderMirror
+      enabledNum={[0]}
+      config={{
+        sceneName: EAccountSelectorSceneName.home,
+      }}
+    >
+      {isTabNavigator ? <MemoizedSettingsTabNavigator /> : <SettingList />}
+    </AccountSelectorProviderMirror>
+  );
 }
 
 export default memo(SettingTab);
diff --git a/packages/shared/src/appCrypto/cryptoSubtlePolyfill.js b/packages/shared/src/appCrypto/cryptoSubtlePolyfill.js
new file mode 100644
index 000000000000..9fe4b150f310
--- /dev/null
+++ b/packages/shared/src/appCrypto/cryptoSubtlePolyfill.js
@@ -0,0 +1,100 @@
+const platformEnv = require('@onekeyhq/shared/src/platformEnv');
+
+/**
+ * Polyfill crypto.subtle for React Native
+ *
+ * Purpose:
+ * - Enables Supabase Auth PKCE to use s256 (SHA-256) instead of plain method
+ * - Supabase's @supabase/auth-js GoTrueClient checks crypto.subtle.digest
+ *   to determine PKCE code_challenge method support
+ *
+ * Implementation Notes:
+ * - Uses react-native-aes-crypto native module for SHA hashing
+ * - The native module (both iOS/Android) expects HEX-ENCODED string input:
+ *   - iOS: AesCrypt.m uses [self fromHex:input] to decode hex to bytes
+ *   - Android: Aes.java uses Hex.decode(data) to decode hex to bytes
+ * - This is why we convert ArrayBuffer -> hex string before calling native functions
+ *
+ * Prerequisites:
+ * - Must be loaded AFTER the crypto polyfill in polyfillsPlatform.js
+ * - Requires react-native-aes-crypto native module to be linked
+ *
+ * Limitations:
+ * - Only implements digest() method (minimum required for Supabase PKCE)
+ * - Supports SHA-1, SHA-256, SHA-512 algorithms only
+ */
+if (platformEnv.isNative) {
+  if (typeof crypto !== 'undefined' && typeof crypto.subtle === 'undefined') {
+    // Lazy load RN_AES to avoid circular dependency issues at module initialization
+    let RN_AES = null;
+    const getRNAES = () => {
+      if (!RN_AES) {
+        RN_AES = require('react-native-aes-crypto').default;
+      }
+      return RN_AES;
+    };
+
+    /**
+     * Convert hex string to ArrayBuffer
+     * Used to convert native hash result (hex) back to Web Crypto API format (ArrayBuffer)
+     */
+    const hexToArrayBuffer = (hex) => {
+      const bytes = new Uint8Array(hex.length / 2);
+      for (let i = 0; i < hex.length; i += 2) {
+        bytes[i / 2] = parseInt(hex.substr(i, 2), 16);
+      }
+      return bytes.buffer;
+    };
+
+    /**
+     * Convert ArrayBuffer/Uint8Array to hex string
+     * Required because react-native-aes-crypto native module expects hex-encoded input
+     * @see iOS: AesCrypt.m - [self fromHex:input]
+     * @see Android: Aes.java - Hex.decode(data)
+     */
+    const arrayBufferToHex = (buffer) => {
+      const bytes = new Uint8Array(buffer);
+      return Array.from(bytes)
+        .map((b) => b.toString(16).padStart(2, '0'))
+        .join('');
+    };
+
+    // Create a minimal crypto.subtle polyfill (only digest() for Supabase PKCE)
+    crypto.subtle = {
+      /**
+       * Compute hash digest using react-native-aes-crypto native module
+       * Implements Web Crypto API's SubtleCrypto.digest() interface
+       * @param {string} algorithm - Hash algorithm (e.g., 'SHA-256', 'SHA-512', 'SHA-1')
+       * @param {ArrayBuffer|Uint8Array} data - Data to hash
+       * @returns {Promise<ArrayBuffer>} - Hash result as ArrayBuffer
+       */
+      digest: async (algorithm, data) => {
+        // Normalize algorithm name: 'SHA-256' -> 'SHA256'
+        const normalizedAlgorithm = algorithm.toUpperCase().replace('-', '');
+        // Convert input to hex (required by react-native-aes-crypto native module)
+        const hexData = arrayBufferToHex(data);
+        const rnAes = getRNAES();
+
+        let hashHex;
+        switch (normalizedAlgorithm) {
+          case 'SHA256':
+            hashHex = await rnAes.sha256(hexData);
+            break;
+          case 'SHA512':
+            hashHex = await rnAes.sha512(hexData);
+            break;
+          case 'SHA1':
+            hashHex = await rnAes.sha1(hexData);
+            break;
+          default:
+            throw new Error(
+              `crypto.subtle.digest: Unsupported algorithm "${algorithm}"`,
+            );
+        }
+
+        // Convert hex result back to ArrayBuffer (Web Crypto API format)
+        return hexToArrayBuffer(hashHex);
+      },
+    };
+  }
+}
diff --git a/packages/shared/src/cloudfs/index.android.ts b/packages/shared/src/cloudfs/index.android.ts
index bf77568ecddc..a22cc0bd21c4 100644
--- a/packages/shared/src/cloudfs/index.android.ts
+++ b/packages/shared/src/cloudfs/index.android.ts
@@ -18,15 +18,20 @@ export async function isAvailable(): Promise<boolean> {
 export async function loginIfNeeded(
   showSignInDialog: boolean,
 ): Promise<boolean> {
-  const signedIn = await GoogleSignin.isSignedIn();
-  if (signedIn) {
+  const hasPreviousSignIn = GoogleSignin.hasPreviousSignIn();
+  if (hasPreviousSignIn) {
     try {
-      return await RNCloudFs.loginIfNeeded();
+      GoogleSignin.configure(GoogleSignInConfigure);
+      const response = await GoogleSignin.signInSilently();
+      if (response.type === 'success') {
+        return await RNCloudFs.loginIfNeeded();
+      }
     } catch (error) {
       // debugLogger.cloudBackup.error(error);
       return Promise.resolve(false);
     }
-  } else if (showSignInDialog) {
+  }
+  if (showSignInDialog) {
     GoogleSignin.configure(GoogleSignInConfigure);
     await GoogleSignin.signIn();
     return RNCloudFs.loginIfNeeded();
diff --git a/packages/shared/src/consts/authConsts.ts b/packages/shared/src/consts/authConsts.ts
index 91bbe32a8829..5a26d85723d8 100644
--- a/packages/shared/src/consts/authConsts.ts
+++ b/packages/shared/src/consts/authConsts.ts
@@ -8,10 +8,31 @@ const IS_DEV = process.env.NODE_ENV !== 'production';
 export const OAUTH_CALLBACK_DESKTOP_CHANNEL =
   'oauth:desktop_localhost_server:callback';
 
+/**
+ * OAuth callback path for desktop localhost server
+ */
+export const OAUTH_CALLBACK_DESKTOP_PATH = '/oauth_callback_desktop';
+
+/**
+ * OAuth callback path for web platform
+ */
+export const OAUTH_CALLBACK_WEB_PATH = '/oauth_callback_web/';
+
+/**
+ * OAuth callback path for native platforms (iOS/Android)
+ */
+export const OAUTH_CALLBACK_NATIVE_PATH = 'oauth_callback_native';
+
 // ============================================================================
 // OAuth shared constants (OneKeyAuth)
 // ============================================================================
 
+// OAuth provider types (used by OneKeyAuth)
+export enum EOAuthSocialLoginProvider {
+  Google = 'google',
+  Apple = 'apple',
+}
+
 // OAuth method enums (used by OneKeyAuth)
 export enum EDesktopOAuthMethod {
   // ✅ RECOMMENDED
@@ -21,7 +42,7 @@ export enum EDesktopOAuthMethod {
   LOCALHOST_SERVER = 'LOCALHOST_SERVER',
 
   // Use in-app webview to handle OAuth
-  // Intercepts navigation to onekey-wallet://auth/callback
+  // Intercepts navigation to onekey-wallet://oauth_callback_native
   WEBVIEW = 'WEBVIEW',
 
   // Use system browser + deep link callback
@@ -49,6 +70,16 @@ export enum EExtensionOAuthMethod {
   DIRECT_EXTENSION_SCHEME = 'DIRECT_EXTENSION_SCHEME',
 }
 
+export enum ENativeOAuthMethod {
+  // ✅ RECOMMENDED: Use @react-native-google-signin/google-signin or expo-apple-authentication with signInWithIdToken
+  NATIVE_SDK = 'NATIVE_SDK',
+
+  // Fallback: Use expo-web-browser.openAuthSessionAsync
+  // Opens in-app browser for OAuth, uses deep link callback
+  // Redirect URL: onekey-wallet://oauth_callback_native
+  WEB_BROWSER = 'WEB_BROWSER',
+}
+
 // 5 minutes OAuth timeout (used by web/desktop/ext flows)
 export const OAUTH_FLOW_TIMEOUT_MS = 5 * 60 * 1000;
 
@@ -63,6 +94,10 @@ export const OAUTH_DESKTOP_WEBVIEW_HEIGHT = 640;
 // Poll / focus interval used by web popup + extension OAuth window focusing
 export const OAUTH_POLL_INTERVAL_MS = 500;
 
+// OneKey-owned state (defense-in-depth) used for OAuth flows where the upstream provider
+// does not reliably include `state` in the authorize URL / callback.
+export const ONEKEY_OAUTH_STATE_KEY = 'onekey_oauth_state';
+
 // Common OAuth callback token keys (hash/search params)
 export const OAUTH_TOKEN_KEY_ACCESS_TOKEN = 'access_token';
 export const OAUTH_TOKEN_KEY_REFRESH_TOKEN = 'refresh_token';
@@ -84,6 +119,17 @@ export const GOOGLE_OAUTH_DEFAULT_SCOPES = [
 
 export const EXTENSION_OAUTH_USE_PKCE_FLOW = true;
 
+// Apple Sign-In nonce support
+// When enabled, a nonce will be generated and passed to Apple Sign-In for replay attack protection
+// Reference: https://developer.apple.com/documentation/authenticationservices/asauthorizationopenidrequest/nonce
+export const APPLE_SIGNIN_USE_NONCE = true;
+
+// Desktop native Apple Sign-In (macOS only)
+// When enabled, macOS will use native ASAuthorizationController for Apple Sign-In
+// instead of opening the browser. Provides better UX with system UI and Touch ID.
+// Set to false to always use browser OAuth flow.
+export const MAC_DESKTOP_USE_NATIVE_APPLE_SIGNIN = false;
+
 // Email OTP
 export const EMAIL_OTP_COUNTDOWN_SECONDS = 60;
 
@@ -92,6 +138,8 @@ export const DEFAULT_EXTENSION_OAUTH_METHOD: EExtensionOAuthMethod =
   EExtensionOAuthMethod.CHROME_IDENTITY_API;
 export const DEFAULT_DESKTOP_OAUTH_METHOD: EDesktopOAuthMethod =
   EDesktopOAuthMethod.LOCALHOST_SERVER;
+export const DEFAULT_NATIVE_OAUTH_METHOD: ENativeOAuthMethod =
+  ENativeOAuthMethod.NATIVE_SDK;
 
 // Google OAuth clients
 //  - https://console.cloud.google.com/auth/clients
@@ -100,22 +148,83 @@ export const DEFAULT_DESKTOP_OAUTH_METHOD: EDesktopOAuthMethod =
 // - OAuth client: https://console.cloud.google.com/apis/credentials
 // - Authorized redirect URIs (for chrome.identity.launchWebAuthFlow):
 //   https://<extension-id>.chromiumapp.org  (no trailing slash)
-export const GOOGLE_CHROME_EXTENSION_CLIENT_ID =
-  '244450898872-d22ubafv8ca38s6fp0kflhdr6e3s386u.apps.googleusercontent.com'; // oauth web client, not extension client
+
 // TODO: Search for all occurrences of 'apps.googleusercontent.com' in the project and consolidate all discovered OAuth client IDs here for unified management.
 
+// ================================================
+// Google OAuth Clients
+// -----------------------------------------------
+
+const GOOGLE_OAUTH_CLIENT_WEB =
+  '244450898872-vmpg9dgocpqtqhm5pk42u4s6hvprogp6.apps.googleusercontent.com';
+const GOOGLE_OAUTH_CLIENT_IOS =
+  '244450898872-5uo9r8ekdc82huckjcr4br67edvf3vlg.apps.googleusercontent.com';
+
+// ================================================
+
+export const GOOGLE_OAUTH_CLIENT_IDS = {
+  WEB: GOOGLE_OAUTH_CLIENT_WEB,
+  EXTENSION: GOOGLE_OAUTH_CLIENT_WEB, // oauth web client, not extension client
+  ANDROID: GOOGLE_OAUTH_CLIENT_WEB,
+  IOS: GOOGLE_OAUTH_CLIENT_IOS,
+};
+
 // Supabase (OneKeyAuth)
 // Project URL at https://supabase.com/dashboard/project/_/settings/api
-export const SUPABASE_PROJECT_URL = IS_DEV
-  ? process.env.SUPABASE_PROJECT_URL ||
-    'https://bwgpgzbzdgkisozswlck.supabase.co' // local test
-  : 'https://bwgpgzbzdgkisozswlck.supabase.co';
+export const SUPABASE_PROJECT_URL = 'https://bwgpgzbzdgkisozswlck.supabase.co';
 
 // Publishable key at https://supabase.com/dashboard/project/_/settings/api-keys/new
-export const SUPABASE_PUBLIC_API_KEY = IS_DEV
-  ? process.env.SUPABASE_PUBLIC_API_KEY ||
-    'sb_publishable_bnNx0b2QZENMm1OLNAyHeQ_FLagwrqN' // local test
-  : 'sb_publishable_bnNx0b2QZENMm1OLNAyHeQ_FLagwrqN';
+export const SUPABASE_PUBLIC_API_KEY =
+  'sb_publishable_bnNx0b2QZENMm1OLNAyHeQ_FLagwrqN';
+
+// ================================================
+// Keyless Supabase
+// -----------------------------------------------
+
+// --- onekeytest
+export const KEYLESS_SUPABASE_PROJECT_URL =
+  'https://supabase.onekey-internal.com'; // onekeytest
+export const KEYLESS_SUPABASE_PUBLIC_API_KEY =
+  'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYW5vbiIsImlzcyI6InN1cGFiYXNlIiwiaWF0IjoxNzY3NTg3OTE4LCJleHAiOjE5MjUyNjc5MTh9.F69Rgt30To2V0Rij1nbTpjkHyAv6VpWGz3a81rkpM0U';
+
+// --- localtest
+// export const KEYLESS_SUPABASE_PROJECT_URL =
+//   'https://wtspqckturkzhstyjabx.supabase.co';
+// export const KEYLESS_SUPABASE_PUBLIC_API_KEY =
+//   'sb_publishable_So24RIupCcXUHaKo1gM4VA_uOBbgjoN';
+
+// ================================================
+
+type IJuiceBoxRealmConfig = {
+  id: string;
+  address: string;
+  public_key?: string;
+};
+
+type IJuiceBoxConfigJSON = {
+  realms: IJuiceBoxRealmConfig[];
+  register_threshold: number;
+  recover_threshold: number;
+  pin_hashing_mode: 'Standard2019' | 'FastInsecure';
+};
+
+export const JUICEBOX_AUTH_SERVER = 'https://juicebox.onekeytest.com';
+export const JUICEBOX_CONFIG: IJuiceBoxConfigJSON = {
+  realms: [
+    {
+      id: '37ce3a59ff08d57b77bac0b8451ff2d8',
+      address: 'https://juicebox-sw-realm-a.onekeytest.com',
+    },
+    {
+      id: '6b47cc201434428be7beee2190f95685',
+      address: 'https://juicebox-sw-realm-b.onekeytest.com',
+    },
+  ],
+  register_threshold: 2, // At least 2 realms must succeed to register
+  recover_threshold: 2, // At least 2 realms must succeed to recover
+  pin_hashing_mode: 'Standard2019',
+};
+export const JUICEBOX_ALLOWED_GUESSES = 10; // Number of allowed PIN guess attempts
 
 // Supabase OAuth Providers
 // https://supabase.com/dashboard/project/_/auth/providers
@@ -125,3 +234,4 @@ export const SUPABASE_PUBLIC_API_KEY = IS_DEV
 
 // Supabase DOCS
 // - https://supabase.com/docs/guides/auth/social-login/auth-google
+// - https://react-native-google-signin.github.io/docs/setting-up/ios
diff --git a/packages/shared/src/consts/googleSignConsts.ts b/packages/shared/src/consts/googleSignConsts.ts
index ef57c9305ff2..07ffd3116a40 100644
--- a/packages/shared/src/consts/googleSignConsts.ts
+++ b/packages/shared/src/consts/googleSignConsts.ts
@@ -1,11 +1,26 @@
 /* eslint-disable spellcheck/spell-checker */
 
+import { GOOGLE_OAUTH_CLIENT_IDS } from './authConsts';
+
 export const GoogleSignInConfigure = {
-  scopes: ['https://www.googleapis.com/auth/drive.file'],
+  scopes: [
+    'openid',
+    'profile',
+    'email',
+    'https://www.googleapis.com/auth/drive.file',
+  ],
+  offlineAccess: false,
+  webClientId: GOOGLE_OAUTH_CLIENT_IDS.ANDROID,
+
   // webClientId: platformEnv.isDev
   //   ? // DEVELOPER_ERROR: On local development this can happen due to incorrect app signing. Please test with a production-signed build.
   //     '117481276073-fs7omuqsmvgtg6bci3ja1gvo03g0d984.apps.googleusercontent.com' // Dev
   //   : '94391474021-ffaspa4ikjqpqvn5ndplqobvuvhnj8v3.apps.googleusercontent.com', // Pro
   // offlineAccess: true,
+};
+
+export const GoogleSignInConfigureIOS = {
+  scopes: ['openid', 'profile', 'email'],
   offlineAccess: false,
+  iosClientId: GOOGLE_OAUTH_CLIENT_IDS.IOS,
 };
diff --git a/packages/shared/src/keylessWallet/keylessWalletConsts.ts b/packages/shared/src/keylessWallet/keylessWalletConsts.ts
index 0c07b95fc6d6..975d618a5da8 100644
--- a/packages/shared/src/keylessWallet/keylessWalletConsts.ts
+++ b/packages/shared/src/keylessWallet/keylessWalletConsts.ts
@@ -2,3 +2,8 @@ export enum EKeylessWalletEnableScene {
   Onboarding = 'onboarding',
   GetMnemonic = 'getMnemonic',
 }
+export enum EKeylessFinalizeAction {
+  Create = 'create',
+  Restore = 'restore',
+  ResetPin = 'resetPin',
+}
diff --git a/packages/shared/src/keylessWallet/keylessWalletTypes.ts b/packages/shared/src/keylessWallet/keylessWalletTypes.ts
index a06a4c5d2edd..9cc28be104c9 100644
--- a/packages/shared/src/keylessWallet/keylessWalletTypes.ts
+++ b/packages/shared/src/keylessWallet/keylessWalletTypes.ts
@@ -1,5 +1,7 @@
 import type { ECloudBackupProviderType } from '@onekeyhq/shared/src/cloudBackup/cloudBackupTypes';
 
+import type { JWTPayload } from 'jose';
+
 export type IKeylessWalletShare = string; // base64 string
 
 export type IKeylessWalletUserInfo = {
@@ -100,3 +102,28 @@ export type IKeylessWalletRestoredData = {
   cloudKeyPackData: ICloudKeyPackEncryptedData | undefined;
   packs: IKeylessWalletPacks;
 };
+
+export type IKeylessBackendShare = {
+  ownerId: string;
+  encryptedMnemonic: string;
+  backendShare: string;
+  // pinSalt: string; // TODO
+  juiceboxShareX: number; // x-coordinate of the juicebox share for recovery
+};
+
+export type IKeylessJuiceboxShare = {
+  ownerId: string;
+  pin: string;
+  juiceboxShare: string;
+  backendShareX: number; // x-coordinate of the backend share for recovery
+};
+
+export type ISupabaseJWTPayload = JWTPayload & {
+  app_metadata: {
+    provider: string;
+  };
+  user_metadata: {
+    sub: string;
+    iss: string;
+  };
+};
diff --git a/packages/shared/src/keylessWallet/shamirUtils.ts b/packages/shared/src/keylessWallet/shamirUtils.ts
index a52a8adb4192..9ef6ae075cda 100644
--- a/packages/shared/src/keylessWallet/shamirUtils.ts
+++ b/packages/shared/src/keylessWallet/shamirUtils.ts
@@ -134,9 +134,65 @@ function recoverMissingShare(params: {
   return bufferUtils.bytesToBase64(missingShareBytes);
 }
 
+/**
+ * Recover the missing Shamir share using base64-encoded secret.
+ * This is used for Reset PIN flow where the secret is mnemonicPassword (base64).
+ *
+ * @param secretBase64 - The secret (mnemonicPassword) as base64 string
+ * @param shareBase64 - One of the existing shares (backendShare) as base64 string
+ * @param missingX - The x-coordinate of the missing share (juiceboxShare)
+ * @returns The recovered share as base64 string
+ */
+function recoverMissingShareFromSecret(params: {
+  secretBase64: string;
+  shareBase64: string;
+  missingX: number;
+}): string {
+  const { secretBase64, shareBase64, missingX } = params;
+  const shareBytes = bufferUtils.base64ToBytes(shareBase64);
+  const secretBytes = bufferUtils.base64ToBytes(secretBase64);
+
+  // Share format: [y-values (N bytes), x-coordinate (1 byte)]
+  // x-coordinate is the LAST byte
+  const secretLength = shareBytes.length - 1;
+  const x1 = shareBytes[secretLength]; // x-coordinate at the end
+  const y1 = shareBytes.slice(0, secretLength); // y-values at the beginning
+
+  // Verify secret length matches share length
+  if (secretBytes.length !== secretLength) {
+    throw new OneKeyLocalError(
+      `Secret length (${secretBytes.length}) does not match share length (${secretLength})`,
+    );
+  }
+
+  // Compute y-values for the missing share
+  const missingY = new Uint8Array(secretLength);
+
+  for (let i = 0; i < secretLength; i += 1) {
+    const s = secretBytes[i]; // secret byte
+    const yi = y1[i]; // share1's y-value for this byte
+
+    // a1 = (y1 - s) / x1 in GF(256)
+    // In GF(256), subtraction is XOR
+    const a1 = GF256.div(GF256.sub(yi, s), x1);
+
+    // missingY = s + a1 * missingX
+    missingY[i] = GF256.add(s, GF256.mul(a1, missingX));
+  }
+
+  // Construct the missing share: [y-values, x-coordinate]
+  // Same format as shamir-secret-sharing library
+  const missingShareBytes = new Uint8Array(secretLength + 1);
+  missingShareBytes.set(missingY, 0);
+  missingShareBytes[secretLength] = missingX;
+
+  return bufferUtils.bytesToBase64(missingShareBytes);
+}
+
 export default {
   GF256,
   split,
   combine,
   recoverMissingShare,
+  recoverMissingShareFromSecret,
 };
diff --git a/packages/shared/src/polyfills/polyfillsPlatform.js b/packages/shared/src/polyfills/polyfillsPlatform.js
index f2d100e221fa..ba950eba1850 100644
--- a/packages/shared/src/polyfills/polyfillsPlatform.js
+++ b/packages/shared/src/polyfills/polyfillsPlatform.js
@@ -290,4 +290,13 @@ if (platformEnv.isNative) {
   }
 }
 
+// Polyfill crypto.subtle for React Native
+// This must be loaded AFTER the crypto polyfill (line 145-154) because it extends the crypto object.
+// Purpose: Enable Supabase Auth PKCE flow to use SHA-256 code_challenge (s256 method)
+// instead of falling back to plain method when crypto.subtle is unavailable.
+// @see @supabase/auth-js GoTrueClient.ts - checks crypto.subtle.digest for PKCE support
+if (platformEnv.isNative) {
+  require('@onekeyhq/shared/src/appCrypto/cryptoSubtlePolyfill');
+}
+
 console.log('polyfillsPlatform.native shim loaded');
diff --git a/packages/shared/src/routes/onboarding.ts b/packages/shared/src/routes/onboarding.ts
index 42857742652a..44e1a2871a05 100644
--- a/packages/shared/src/routes/onboarding.ts
+++ b/packages/shared/src/routes/onboarding.ts
@@ -113,8 +113,9 @@ export type IOnboardingParamList = {
   // finalize wallet setup
   [EOnboardingPages.FinalizeWalletSetup]: {
     mnemonic?: string;
-    mnemonicType?: EMnemonicType;
+    mnemonicType?: EMnemonicType; // bip39 or ton
     isWalletBackedUp?: boolean;
+    isKeylessWallet?: boolean;
   };
 
   // device management guide page
diff --git a/packages/shared/src/routes/onboardingv2.ts b/packages/shared/src/routes/onboardingv2.ts
index 7fe22c541af7..b1d98553e69a 100644
--- a/packages/shared/src/routes/onboardingv2.ts
+++ b/packages/shared/src/routes/onboardingv2.ts
@@ -1,5 +1,8 @@
+import type { IKeylessWalletDetailsInfo } from '@onekeyhq/kit-bg/src/dbs/local/types';
+
 import type { EConnectDeviceChannel } from '../../types/connectDevice';
 import type { IConnectYourDeviceItem } from '../../types/device';
+import type { EKeylessFinalizeAction } from '../keylessWallet/keylessWalletConsts';
 import type { IDetectedNetworkGroupItem } from '../utils/networkDetectUtils';
 import type { EMnemonicType } from '../utils/secret';
 import type { EDeviceType } from '@onekeyfe/hd-shared';
@@ -19,6 +22,12 @@ export enum EOnboardingV2KeylessWalletCreationMode {
   View = 'View',
 }
 
+export enum EOnboardingV2OneKeyIDLoginMode {
+  KeylessCreateOrRestore = 'KeylessCreateOrRestore',
+  KeylessResetPin = 'KeylessResetPin',
+  KeylessVerifyPinOnly = 'KeylessVerifyPinOnly',
+}
+
 export enum EOnboardingPagesV2 {
   GetStarted = 'GetStarted',
   AddExistingWallet = 'AddExistingWallet',
@@ -41,6 +50,13 @@ export enum EOnboardingPagesV2 {
   ImportKeyTag = 'ImportKeyTag',
   KeylessWalletRecovery = 'KeylessWalletRecovery',
   KeylessWalletCreation = 'KeylessWalletCreation',
+  OneKeyIDLogin = 'OneKeyIDLogin',
+  CreatePin = 'CreatePin',
+  ConfirmPin = 'ConfirmPin',
+  VerifyPin = 'VerifyPin',
+  ResetPin = 'ResetPin',
+  NewPinCreated = 'NewPinCreated',
+  CreatePasscode = 'CreatePasscode',
   MoreAction = 'MoreAction',
 }
 interface IVerifyRecoveryPhraseParams {
@@ -62,9 +78,12 @@ export type IOnboardingParamListV2 = {
     mnemonic?: string;
     mnemonicType?: EMnemonicType;
     isWalletBackedUp?: boolean;
+    isKeylessWallet?: boolean;
     isFirmwareVerified?: boolean;
     deviceData?: IConnectYourDeviceItem;
     keylessPackSetId?: string;
+    keylessOwnerId?: string;
+    keylessDetailsInfo?: IKeylessWalletDetailsInfo;
   };
   [EOnboardingPagesV2.PickYourDevice]: undefined;
   [EOnboardingPagesV2.ConnectYourDevice]: {
@@ -112,5 +131,22 @@ export type IOnboardingParamListV2 = {
     email?: string;
     mode?: EOnboardingV2KeylessWalletCreationMode;
   };
+  [EOnboardingPagesV2.OneKeyIDLogin]: {
+    mode: EOnboardingV2OneKeyIDLoginMode;
+  };
+  [EOnboardingPagesV2.CreatePin]: {
+    action?: EKeylessFinalizeAction;
+  };
+  [EOnboardingPagesV2.ConfirmPin]: {
+    action?: EKeylessFinalizeAction;
+  };
+  [EOnboardingPagesV2.CreatePasscode]: {
+    action: EKeylessFinalizeAction;
+  };
+  [EOnboardingPagesV2.VerifyPin]: {
+    mode?: EOnboardingV2OneKeyIDLoginMode;
+  };
+  [EOnboardingPagesV2.ResetPin]: undefined;
+  [EOnboardingPagesV2.NewPinCreated]: undefined;
   [EOnboardingPagesV2.MoreAction]: undefined;
 };
diff --git a/packages/shared/src/storage/GoogleDriveStorage/GoogleDriveStorage.android.ts b/packages/shared/src/storage/GoogleDriveStorage/GoogleDriveStorage.android.ts
index f14a77e6a483..e85ace8cbdd8 100644
--- a/packages/shared/src/storage/GoogleDriveStorage/GoogleDriveStorage.android.ts
+++ b/packages/shared/src/storage/GoogleDriveStorage/GoogleDriveStorage.android.ts
@@ -72,10 +72,18 @@ export class GoogleDriveStorage {
         return false;
       }
       // Check if Google Play Services is available
-      const signedIn = await GoogleSignin.isSignedIn();
-      if (signedIn) {
-        await RNCloudFs.loginIfNeeded();
-        return true;
+      const hasPreviousSignedIn = GoogleSignin.hasPreviousSignIn();
+      if (hasPreviousSignedIn) {
+        try {
+          const response = await GoogleSignin.signInSilently();
+          if (response.type === 'success') {
+            await RNCloudFs.loginIfNeeded();
+            return true;
+          }
+        } catch (error) {
+          console.warn('Google Drive availability check failed:', error);
+          return false;
+        }
       }
       return false;
     } catch (error) {
@@ -90,13 +98,15 @@ export class GoogleDriveStorage {
     showSignInDialog: boolean;
   }): Promise<boolean> {
     GoogleSignin.configure(GoogleSignInConfigure);
-    const signedIn = await GoogleSignin.isSignedIn();
-    if (!signedIn) {
+    const hasPreviousSignedIn = GoogleSignin.hasPreviousSignIn();
+    if (!hasPreviousSignedIn) {
       if (showSignInDialog) {
         await GoogleSignin.signIn();
       } else {
         await GoogleSignin.signInSilently();
       }
+    } else {
+      await GoogleSignin.signInSilently();
     }
     return RNCloudFs.loginIfNeeded();
   }
@@ -117,19 +127,18 @@ export class GoogleDriveStorage {
     if (!platformEnv.isNativeAndroid) {
       return false;
     }
-    return GoogleSignin.isSignedIn();
+    return GoogleSignin.hasPreviousSignIn();
   }
 
   async getUserInfo(): Promise<IGoogleUserInfo | null> {
     await this.loginIfNeeded({ showSignInDialog: false });
 
-    const signedIn = await GoogleSignin.isSignedIn();
-    if (!signedIn) {
+    const hasPreviousSignedIn = GoogleSignin.hasPreviousSignIn();
+    if (!hasPreviousSignedIn) {
       return null;
     }
 
-    const userInfo: IGoogleUserInfo | null =
-      await GoogleSignin.getCurrentUser();
+    const userInfo: IGoogleUserInfo | null = GoogleSignin.getCurrentUser();
     return userInfo;
   }
 
@@ -140,8 +149,8 @@ export class GoogleDriveStorage {
     const { fileName, content } = params;
 
     // Ensure user is signed in
-    const signedIn = await GoogleSignin.isSignedIn();
-    if (!signedIn) {
+    const hasPreviousSignedIn = GoogleSignin.hasPreviousSignIn();
+    if (!hasPreviousSignedIn) {
       throw new OneKeyLocalError(
         'Not signed in to Google. Please sign in first.',
       );
@@ -194,8 +203,8 @@ export class GoogleDriveStorage {
     const { fileId } = params;
 
     // Ensure user is signed in
-    const signedIn = await GoogleSignin.isSignedIn();
-    if (!signedIn) {
+    const hasPreviousSignedIn = GoogleSignin.hasPreviousSignIn();
+    if (!hasPreviousSignedIn) {
       throw new OneKeyLocalError(
         'Not signed in to Google. Please sign in first.',
       );
@@ -217,8 +226,8 @@ export class GoogleDriveStorage {
     const { fileId } = params;
 
     // Ensure user is signed in
-    const signedIn = await GoogleSignin.isSignedIn();
-    if (!signedIn) {
+    const hasPreviousSignedIn = GoogleSignin.hasPreviousSignIn();
+    if (!hasPreviousSignedIn) {
       throw new OneKeyLocalError(
         'Not signed in to Google. Please sign in first.',
       );
@@ -232,8 +241,8 @@ export class GoogleDriveStorage {
 
   async listFiles(): Promise<{ files: IGoogleDriveFile[] }> {
     // Ensure user is signed in
-    const signedIn = await GoogleSignin.isSignedIn();
-    if (!signedIn) {
+    const hasPreviousSignedIn = GoogleSignin.hasPreviousSignIn();
+    if (!hasPreviousSignedIn) {
       throw new OneKeyLocalError(
         'Not signed in to Google. Please sign in first.',
       );
diff --git a/packages/shared/src/storage/SupabaseStorage/consts.ts b/packages/shared/src/storage/SupabaseStorage/consts.ts
index a616ddd65478..8435f584005c 100644
--- a/packages/shared/src/storage/SupabaseStorage/consts.ts
+++ b/packages/shared/src/storage/SupabaseStorage/consts.ts
@@ -8,7 +8,7 @@ export const SUPABASE_STORAGE_KEY_PREFIX = 'OneKeySupabaseAuth__';
 
 // Extract project ref from SUPABASE_PROJECT_URL
 // URL format: https://<project-ref>.supabase.co
-export function getSupabaseProjectRef(): string {
+function getSupabaseProjectRef(): string {
   const match = SUPABASE_PROJECT_URL.match(/https?:\/\/([^.]+)\.supabase\.co/);
   return match?.[1] || '';
 }
diff --git a/packages/shared/src/storage/secureStorage/index.desktop.ts b/packages/shared/src/storage/secureStorage/index.desktop.ts
index f12d5b7228ba..77ea0654fbe6 100644
--- a/packages/shared/src/storage/secureStorage/index.desktop.ts
+++ b/packages/shared/src/storage/secureStorage/index.desktop.ts
@@ -1,4 +1,5 @@
 import { OneKeyLocalError } from '../../errors';
+import platformEnv from '../../platformEnv';
 
 import type { ISecureStorage } from './types';
 
@@ -18,7 +19,13 @@ const getSecureItem = async (key: string) => {
 const removeSecureItem = async (key: string) =>
   globalThis?.desktopApiProxy?.storage?.secureDelItemAsync(key);
 
-const supportSecureStorage = async () => true;
+const supportSecureStorage = async () => {
+  // The secure storage of the desktop in the development environment does not work, the data written only has the key, and the value is always empty
+  if (platformEnv.isDesktop && platformEnv.isDev) {
+    return false;
+  }
+  return true;
+};
 
 const storage: ISecureStorage = {
   setSecureItem,
diff --git a/packages/shared/src/utils/accountUtils.ts b/packages/shared/src/utils/accountUtils.ts
index ac0c6da6374c..e09cf5837512 100644
--- a/packages/shared/src/utils/accountUtils.ts
+++ b/packages/shared/src/utils/accountUtils.ts
@@ -1016,6 +1016,18 @@ function buildKeylessDevicePackKey({
   return `OneKey_Keyless__${packSetId}`;
 }
 
+function buildKeylessMnemonicPasswordKey({
+  ownerId,
+}: {
+  ownerId: string;
+}): string {
+  return `OneKey_Keyless_MnemonicPwd__${ownerId}`;
+}
+
+function buildKeylessRefreshTokenKey({ ownerId }: { ownerId: string }): string {
+  return `OneKey_Keyless_RefreshToken__${ownerId}`;
+}
+
 function isValidDeriveType(deriveType: string): boolean {
   if (!deriveType) return false;
   const validDeriveTypes: Record<IAccountDeriveTypes, true> = {
@@ -1037,6 +1049,8 @@ export default {
 
   getKeylessWalletPackSetId,
   buildKeylessDevicePackKey,
+  buildKeylessMnemonicPasswordKey,
+  buildKeylessRefreshTokenKey,
   buildKeylessWalletId,
   buildAccountValueKey,
   parseAccountValueKey,
diff --git a/packages/shared/src/utils/timerUtils.ts b/packages/shared/src/utils/timerUtils.ts
index 4afff2ce3a3a..9471ac36d6ea 100644
--- a/packages/shared/src/utils/timerUtils.ts
+++ b/packages/shared/src/utils/timerUtils.ts
@@ -86,8 +86,12 @@ function getTimeDurationMs({
   );
 }
 
-const wait = (ms: number) =>
+const wait = (ms: number, options?: { devOnly?: boolean }) =>
   new Promise((resolve) => {
+    if (options?.devOnly && process.env.NODE_ENV === 'production') {
+      resolve(void 0);
+      return;
+    }
     setTimeout(resolve, ms);
   });
 
diff --git a/yarn.lock b/yarn.lock
index ae869ea3315c..9da0732d8816 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -7745,6 +7745,7 @@ __metadata:
     jest-html-reporter: "npm:^3.10.2"
     jotai: "npm:^2.5.0"
     js-md5: "npm:^0.8.3"
+    juicebox-sdk: "npm:^0.3.4"
     lightweight-charts: "npm:^3.8.0"
     long: "npm:^5.2.1"
     lru-cache: "npm:^10.2.0"
@@ -8014,11 +8015,13 @@ __metadata:
     "@onekeyhq/components": "npm:*"
     "@onekeyhq/kit": "npm:*"
     "@onekeyhq/shared": "npm:*"
+    "@phantom/react-native-juicebox-sdk": "npm:0.3.17"
     "@react-native-async-storage/async-storage": "npm:2.2.0"
     "@react-native-community/netinfo": "npm:11.4.1"
     "@react-native-community/slider": "npm:5.0.1"
-    "@react-native-google-signin/google-signin": "npm:^9.1.0"
+    "@react-native-google-signin/google-signin": "npm:16.1.0"
     "@react-native/metro-config": "npm:0.81.5"
+    "@reown/appkit-ethers5-react-native": "npm:1.3.1"
     "@rozenite/expo-atlas-plugin": "npm:1.0.0-alpha.16"
     "@rozenite/metro": "npm:1.0.0-alpha.16"
     "@rozenite/mmkv-plugin": "npm:1.0.0-alpha.16"
@@ -8824,6 +8827,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@phantom/react-native-juicebox-sdk@npm:0.3.17":
+  version: 0.3.17
+  resolution: "@phantom/react-native-juicebox-sdk@npm:0.3.17"
+  peerDependencies:
+    react: "*"
+    react-native: "*"
+  checksum: 10/973046a3144b24dcab4c804ee81e8b108c3ce10408929e409c02ac41e5d636138486f30f5b43f27cef69fda729fdcb16c4d9767712de3eff45d56eeb490136cb
+  languageName: node
+  linkType: hard
+
 "@phosphor-icons/webcomponents@npm:2.1.5":
   version: 2.1.5
   resolution: "@phosphor-icons/webcomponents@npm:2.1.5"
@@ -10494,17 +10507,17 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@react-native-google-signin/google-signin@npm:^9.1.0":
-  version: 9.1.0
-  resolution: "@react-native-google-signin/google-signin@npm:9.1.0"
+"@react-native-google-signin/google-signin@npm:16.1.0":
+  version: 16.1.0
+  resolution: "@react-native-google-signin/google-signin@npm:16.1.0"
   peerDependencies:
-    expo: ">=47.0.0"
+    expo: ">=52.0.40"
     react: "*"
     react-native: "*"
   peerDependenciesMeta:
     expo:
       optional: true
-  checksum: 10/342bbbedbd2be3098cbc652779254bac395f13a261745dfc2092fd09d4dae1c47242023da1e80fdffb119778110abb2b6b22245291d7c522a15c4aee151c7ff5
+  checksum: 10/bd7f2f4055a35660acfa3bc1153254cbdb40643e893bb0b0f973c78e4919d7be5ba6b9979cddd0d740b61957b6f64094465ed251a844b4345961cf3b1dfd3eeb
   languageName: node
   linkType: hard
 
@@ -29391,6 +29404,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"juicebox-sdk@npm:^0.3.4":
+  version: 0.3.4
+  resolution: "juicebox-sdk@npm:0.3.4"
+  checksum: 10/c5531e7da88ab80a5af9409cdc3d3219cfd766830b29b3ff39c21bf646c8afef080c4d1200aa0f809a7bc5c94e81eb39d1566c2046835399524597e00f3c6526
+  languageName: node
+  linkType: hard
+
 "jwt-decode@npm:^4.0.0":
   version: 4.0.0
   resolution: "jwt-decode@npm:4.0.0"