From 9d319eb0007e2704343210e1ddb4407a5fb95ab7 Mon Sep 17 00:00:00 2001
From: d2dyno <53011783+d2dyno1@users.noreply.github.com>
Date: Sun, 31 May 2026 20:36:42 +0200
Subject: [PATCH 1/3] Begin working on App Platform

---
 .../SecureFolderFS.Core.Cryptography.csproj   |   1 +
 .../Models/SecurityWrapper.cs                 |   5 +-
 .../Operational/AppPlatformCreationRoutine.cs |  91 ++++++++++++
 .../Operational/AppPlatformUnlockRoutine.cs   |  80 ++++++++++
 .../Routines/Operational/VaultRoutines.cs     |  11 ++
 .../VaultAccess/VaultParser.cs                |   6 +-
 .../AndroidVaultCredentialsService.cs         |   2 +-
 .../IOSVaultCredentialsService.cs             |   2 +-
 .../VaultManagerService.cs                    |  32 ++++
 .../AppPlatformCreationViewModel.cs           | 137 ++++++++++++++++++
 .../SkiaVaultCredentialsService.cs            |   5 +-
 .../WindowsVaultCredentialsService.cs         |   5 +-
 .../RegistrationTemplateSelector.cs           |   3 +
 .../UserControls/LoginControl.xaml            |  18 ++-
 .../UserControls/RegisterControl.xaml         |  29 ++++
 .../Services/IVaultManagerService.cs          |  19 +++
 .../IAppPlatformVaultRegistration.cs          |  24 +++
 .../ViewModels/Controls/LoginViewModel.cs     |   5 +-
 .../Wizard/CredentialsWizardViewModel.cs      |  20 +++
 .../Models/AppPlatformVaultOptions.cs         |  12 --
 20 files changed, 477 insertions(+), 30 deletions(-)
 create mode 100644 src/Core/SecureFolderFS.Core/Routines/Operational/AppPlatformCreationRoutine.cs
 create mode 100644 src/Core/SecureFolderFS.Core/Routines/Operational/AppPlatformUnlockRoutine.cs
 create mode 100644 src/Platforms/SecureFolderFS.UI/ViewModels/Authentication/AppPlatformCreationViewModel.cs
 create mode 100644 src/Sdk/SecureFolderFS.Sdk/ViewModels/Controls/Authentication/IAppPlatformVaultRegistration.cs

diff --git a/src/Core/SecureFolderFS.Core.Cryptography/SecureFolderFS.Core.Cryptography.csproj b/src/Core/SecureFolderFS.Core.Cryptography/SecureFolderFS.Core.Cryptography.csproj
index d29745225..d506b3a88 100644
--- a/src/Core/SecureFolderFS.Core.Cryptography/SecureFolderFS.Core.Cryptography.csproj
+++ b/src/Core/SecureFolderFS.Core.Cryptography/SecureFolderFS.Core.Cryptography.csproj
@@ -9,6 +9,7 @@
 
   <ItemGroup>
     <PackageReference Include="Base4K" Version="1.0.4" />
+    <PackageReference Include="jose-jwt" Version="5.3.0" />
     <PackageReference Include="Konscious.Security.Cryptography.Argon2" Version="1.3.1" />
     <PackageReference Include="Miscreant" Version="0.3.3" />
     <PackageReference Include="NSec.Cryptography" Version="26.4.0" />
diff --git a/src/Core/SecureFolderFS.Core/Models/SecurityWrapper.cs b/src/Core/SecureFolderFS.Core/Models/SecurityWrapper.cs
index 6300d8813..fdec13c68 100644
--- a/src/Core/SecureFolderFS.Core/Models/SecurityWrapper.cs
+++ b/src/Core/SecureFolderFS.Core/Models/SecurityWrapper.cs
@@ -8,7 +8,7 @@
 
 namespace SecureFolderFS.Core.Models
 {
-    internal sealed class SecurityWrapper : IWrapper<Security>, IEnumerable<KeyValuePair<string, object>>, IDisposable
+    internal sealed class SecurityWrapper : IWrapper<Security>, IWrapper<KeyPair>, IEnumerable<KeyValuePair<string, object>>, IDisposable
     {
         private readonly KeyPair _keyPair;
         private readonly VaultConfigurationDataModel _configDataModel;
@@ -21,6 +21,9 @@ internal sealed class SecurityWrapper : IWrapper<Security>, IEnumerable<KeyValue
                 fileNameCipherId: _configDataModel.FileNameCipherId,
                 fileNameEncodingId: _configDataModel.FileNameEncodingId);
 
+        /// <inheritdoc/>
+        KeyPair IWrapper<KeyPair>.Inner => _keyPair;
+
         public SecurityWrapper(KeyPair keyPair, VaultConfigurationDataModel configDataModel)
         {
             _keyPair = keyPair;
diff --git a/src/Core/SecureFolderFS.Core/Routines/Operational/AppPlatformCreationRoutine.cs b/src/Core/SecureFolderFS.Core/Routines/Operational/AppPlatformCreationRoutine.cs
new file mode 100644
index 000000000..1d2e9409d
--- /dev/null
+++ b/src/Core/SecureFolderFS.Core/Routines/Operational/AppPlatformCreationRoutine.cs
@@ -0,0 +1,91 @@
+using System;
+using System.Security.Cryptography;
+using System.Threading;
+using System.Threading.Tasks;
+using OwlCore.Storage;
+using SecureFolderFS.Core.Cryptography;
+using SecureFolderFS.Core.DataModels;
+using SecureFolderFS.Core.Models;
+using SecureFolderFS.Core.VaultAccess;
+using SecureFolderFS.Shared.ComponentModel;
+using SecureFolderFS.Shared.Models;
+using SecureFolderFS.Shared.SecureStore;
+using static SecureFolderFS.Core.Constants.Vault;
+using static SecureFolderFS.Core.Cryptography.Constants;
+
+namespace SecureFolderFS.Core.Routines.Operational
+{
+    /// <summary>
+    /// Creation routine for App Platform vaults. Generates DEK+MAC internally (no password, no keystore.cfg).
+    /// </summary>
+    public sealed class AppPlatformCreationRoutine : ICreationRoutine
+    {
+        private readonly IFolder _vaultFolder;
+        private readonly VaultWriter _vaultWriter;
+        private VaultConfigurationDataModel? _configDataModel;
+        private SecureKey? _dekKey;
+        private SecureKey? _macKey;
+
+        public AppPlatformCreationRoutine(IFolder vaultFolder, VaultWriter vaultWriter)
+        {
+            _vaultFolder = vaultFolder;
+            _vaultWriter = vaultWriter;
+        }
+
+        /// <inheritdoc/>
+        public Task InitAsync(CancellationToken cancellationToken = default)
+        {
+            var dekKey = new byte[KeyTraits.DEK_KEY_LENGTH];
+            var macKey = new byte[KeyTraits.MAC_KEY_LENGTH];
+
+            RandomNumberGenerator.Fill(dekKey);
+            RandomNumberGenerator.Fill(macKey);
+
+            _dekKey = SecureKey.TakeOwnership(dekKey);
+            _macKey = SecureKey.TakeOwnership(macKey);
+
+            return Task.CompletedTask;
+        }
+
+        /// <inheritdoc/>
+        public void SetCredentials(IKeyUsage passkey)
+        {
+            // No-op: App Platform vaults don't use passkey-derived keys
+        }
+
+        /// <inheritdoc/>
+        public void SetOptions(VaultOptions vaultOptions)
+        {
+            _configDataModel = VaultConfigurationDataModel.V4FromVaultOptions(vaultOptions);
+        }
+
+        /// <inheritdoc/>
+        public async Task<IDisposable> FinalizeAsync(CancellationToken cancellationToken)
+        {
+            ArgumentNullException.ThrowIfNull(_configDataModel);
+            ArgumentNullException.ThrowIfNull(_dekKey);
+            ArgumentNullException.ThrowIfNull(_macKey);
+
+            _macKey.UseKey(macKey =>
+            {
+                VaultParser.CalculateConfigMac(_configDataModel, macKey, _configDataModel.PayloadMac);
+            });
+
+            // Write only sfconfig.cfg - no keystore.cfg for App Platform vaults
+            await _vaultWriter.WriteConfigurationAsync(_configDataModel, cancellationToken);
+
+            // Create the content folder
+            if (_vaultFolder is IModifiableFolder modifiableFolder)
+                await modifiableFolder.CreateFolderAsync(Names.VAULT_CONTENT_FOLDERNAME, true, cancellationToken);
+
+            return new SecurityWrapper(KeyPair.ImportKeys(_dekKey, _macKey), _configDataModel);
+        }
+
+        /// <inheritdoc/>
+        public void Dispose()
+        {
+            _dekKey?.Dispose();
+            _macKey?.Dispose();
+        }
+    }
+}
diff --git a/src/Core/SecureFolderFS.Core/Routines/Operational/AppPlatformUnlockRoutine.cs b/src/Core/SecureFolderFS.Core/Routines/Operational/AppPlatformUnlockRoutine.cs
new file mode 100644
index 000000000..602ed63ad
--- /dev/null
+++ b/src/Core/SecureFolderFS.Core/Routines/Operational/AppPlatformUnlockRoutine.cs
@@ -0,0 +1,80 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using SecureFolderFS.Core.Cryptography;
+using SecureFolderFS.Core.DataModels;
+using SecureFolderFS.Core.Models;
+using SecureFolderFS.Core.Validators;
+using SecureFolderFS.Core.VaultAccess;
+using SecureFolderFS.Shared.ComponentModel;
+using SecureFolderFS.Shared.SecureStore;
+
+namespace SecureFolderFS.Core.Routines.Operational
+{
+    /// <summary>
+    /// Unlock routine for App Platform vaults. Accepts DEK || MAC directly from the server-brokered key hierarchy.
+    /// </summary>
+    internal sealed class AppPlatformUnlockRoutine : ICredentialsRoutine
+    {
+        private readonly VaultReader _vaultReader;
+        private VaultConfigurationDataModel? _configDataModel;
+        private SecureKey? _dekKey;
+        private SecureKey? _macKey;
+
+        public AppPlatformUnlockRoutine(VaultReader vaultReader)
+        {
+            _vaultReader = vaultReader;
+        }
+
+        /// <inheritdoc/>
+        public async Task InitAsync(CancellationToken cancellationToken)
+        {
+            _configDataModel = await _vaultReader.ReadConfigurationAsync(cancellationToken);
+        }
+
+        /// <inheritdoc/>
+        public void SetCredentials(IKeyUsage passkey)
+        {
+            ArgumentNullException.ThrowIfNull(_configDataModel);
+
+            passkey.UseKey(key =>
+            {
+                if (key.Length != Cryptography.Constants.KeyTraits.DEK_KEY_LENGTH + Cryptography.Constants.KeyTraits.MAC_KEY_LENGTH)
+                    throw new ArgumentException($"Expected {Cryptography.Constants.KeyTraits.DEK_KEY_LENGTH + Cryptography.Constants.KeyTraits.MAC_KEY_LENGTH} bytes (DEK+MAC), got {key.Length}.");
+
+                var dekBytes = new byte[Cryptography.Constants.KeyTraits.DEK_KEY_LENGTH];
+                var macBytes = new byte[Cryptography.Constants.KeyTraits.MAC_KEY_LENGTH];
+
+                key.Slice(0, Cryptography.Constants.KeyTraits.DEK_KEY_LENGTH).CopyTo(dekBytes);
+                key.Slice(Cryptography.Constants.KeyTraits.DEK_KEY_LENGTH, Cryptography.Constants.KeyTraits.MAC_KEY_LENGTH).CopyTo(macBytes);
+
+                _dekKey = SecureKey.TakeOwnership(dekBytes);
+                _macKey = SecureKey.TakeOwnership(macBytes);
+            });
+        }
+
+        /// <inheritdoc/>
+        public async Task<IDisposable> FinalizeAsync(CancellationToken cancellationToken)
+        {
+            ArgumentNullException.ThrowIfNull(_dekKey);
+            ArgumentNullException.ThrowIfNull(_macKey);
+            ArgumentNullException.ThrowIfNull(_configDataModel);
+
+            using (_dekKey)
+            using (_macKey)
+            {
+                var validator = new ConfigurationValidator(_macKey);
+                await validator.ValidateAsync(_configDataModel, cancellationToken);
+
+                return new SecurityWrapper(KeyPair.ImportKeys(_dekKey, _macKey), _configDataModel);
+            }
+        }
+
+        /// <inheritdoc/>
+        public void Dispose()
+        {
+            _dekKey?.Dispose();
+            _macKey?.Dispose();
+        }
+    }
+}
diff --git a/src/Core/SecureFolderFS.Core/Routines/Operational/VaultRoutines.cs b/src/Core/SecureFolderFS.Core/Routines/Operational/VaultRoutines.cs
index d12da28f4..7d97f70e9 100644
--- a/src/Core/SecureFolderFS.Core/Routines/Operational/VaultRoutines.cs
+++ b/src/Core/SecureFolderFS.Core/Routines/Operational/VaultRoutines.cs
@@ -33,12 +33,23 @@ public ICreationRoutine CreateVault()
             return new CreationRoutine(_vaultFolder, VaultWriter);
         }
 
+        public AppPlatformCreationRoutine CreateAppPlatformVault()
+        {
+            return new AppPlatformCreationRoutine(_vaultFolder, VaultWriter);
+        }
+
         public ICredentialsRoutine UnlockVault()
         {
             CheckVaultValidation();
             return new UnlockRoutine(VaultReader);
         }
 
+        public ICredentialsRoutine UnlockAppPlatformVault()
+        {
+            CheckVaultValidation();
+            return new AppPlatformUnlockRoutine(VaultReader);
+        }
+
         public ICredentialsRoutine RecoverVault()
         {
             CheckVaultValidation();
diff --git a/src/Core/SecureFolderFS.Core/VaultAccess/VaultParser.cs b/src/Core/SecureFolderFS.Core/VaultAccess/VaultParser.cs
index b1d4203d4..5ab4712d2 100644
--- a/src/Core/SecureFolderFS.Core/VaultAccess/VaultParser.cs
+++ b/src/Core/SecureFolderFS.Core/VaultAccess/VaultParser.cs
@@ -30,11 +30,7 @@ public static void CalculateConfigMac(VaultConfigurationDataModel configDataMode
             hmacSha256.AppendData(BitConverter.GetBytes(configDataModel.ShorteningThreshold));                              // ShorteningThreshold
             hmacSha256.AppendData(Encoding.UTF8.GetBytes(configDataModel.FileNameEncodingId));                              // FileNameEncodingId
             hmacSha256.AppendData(Encoding.UTF8.GetBytes(configDataModel.Uid));                                             // Uid
-            // hmacSha256.AppendData(Encoding.UTF8.GetBytes(configDataModel.AppPlatform?.ServerUrl ?? string.Empty));
-            // hmacSha256.AppendData(Encoding.UTF8.GetBytes(configDataModel.AppPlatform?.VaultResource ?? string.Empty));
-            // hmacSha256.AppendData(Encoding.UTF8.GetBytes(configDataModel.AppPlatform?.Organization ?? string.Empty));
-            // hmacSha256.AppendData(Encoding.UTF8.GetBytes(configDataModel.AppPlatform?.AccessTokenEndpoint ?? string.Empty));
-            // hmacSha256.AppendData(Encoding.UTF8.GetBytes(configDataModel.AppPlatform?.DeviceRegistrationEndpoint ?? string.Empty));
+            hmacSha256.AppendData(Encoding.UTF8.GetBytes(configDataModel.AppPlatform?.ServerUrl ?? string.Empty));           // AppPlatform.ServerUrl
             hmacSha256.AppendFinalData(Encoding.UTF8.GetBytes(configDataModel.AuthenticationMethod));                       // AuthenticationMethod
 
             // Fill the hash to payload
diff --git a/src/Platforms/SecureFolderFS.Maui/Platforms/Android/ServiceImplementation/AndroidVaultCredentialsService.cs b/src/Platforms/SecureFolderFS.Maui/Platforms/Android/ServiceImplementation/AndroidVaultCredentialsService.cs
index 0707c3654..2d3973852 100644
--- a/src/Platforms/SecureFolderFS.Maui/Platforms/Android/ServiceImplementation/AndroidVaultCredentialsService.cs
+++ b/src/Platforms/SecureFolderFS.Maui/Platforms/Android/ServiceImplementation/AndroidVaultCredentialsService.cs
@@ -50,7 +50,7 @@ protected override async IAsyncEnumerable<AuthenticationViewModel> GetLoginAsync
                     Constants.Vault.Authentication.AUTH_ANDROID_BIOMETRIC => new AndroidBiometricLoginViewModel(vaultFolder, vaultId),
                     
                     // App Platform
-                    Constants.Vault.Authentication.AUTH_APP_PLATFORM => new AppPlatformLoginViewModel(),
+                    Constants.Vault.Authentication.AUTH_APP_PLATFORM => new AppPlatformLoginViewModel(vaultFolder),
                     
                     _ => throw new NotSupportedException($"The authentication method '{item}' is not supported by the platform.")
                 };
diff --git a/src/Platforms/SecureFolderFS.Maui/Platforms/iOS/ServiceImplementation/IOSVaultCredentialsService.cs b/src/Platforms/SecureFolderFS.Maui/Platforms/iOS/ServiceImplementation/IOSVaultCredentialsService.cs
index 366c907f5..24fc696d1 100644
--- a/src/Platforms/SecureFolderFS.Maui/Platforms/iOS/ServiceImplementation/IOSVaultCredentialsService.cs
+++ b/src/Platforms/SecureFolderFS.Maui/Platforms/iOS/ServiceImplementation/IOSVaultCredentialsService.cs
@@ -63,7 +63,7 @@ Constants.Vault.Authentication.AUTH_APPLE_BIOMETRIC when AreBiometricsAvailable(
                         }),
                     
                     // App Platform
-                    Constants.Vault.Authentication.AUTH_APP_PLATFORM => new AppPlatformLoginViewModel(),
+                    Constants.Vault.Authentication.AUTH_APP_PLATFORM => new AppPlatformLoginViewModel(vaultFolder),
                     
                     _ => throw new NotSupportedException($"The authentication method '{item}' is not supported by the platform.")
                 };
diff --git a/src/Platforms/SecureFolderFS.UI/ServiceImplementation/VaultManagerService.cs b/src/Platforms/SecureFolderFS.UI/ServiceImplementation/VaultManagerService.cs
index 10da9d1b3..8beb16540 100644
--- a/src/Platforms/SecureFolderFS.UI/ServiceImplementation/VaultManagerService.cs
+++ b/src/Platforms/SecureFolderFS.UI/ServiceImplementation/VaultManagerService.cs
@@ -32,6 +32,27 @@ public virtual async Task<IDisposable> CreateAsync(IFolder vaultFolder, IKeyUsag
             return await creationRoutine.FinalizeAsync(cancellationToken);
         }
 
+        /// <inheritdoc/>
+        public virtual async Task<(IDisposable UnlockContract, IKeyUsage DekKey, IKeyUsage MacKey)> CreateAppPlatformAsync(IFolder vaultFolder, VaultOptions vaultOptions, CancellationToken cancellationToken = default)
+        {
+            var routines = await VaultRoutines.CreateRoutinesAsync(vaultFolder, StreamSerializer.Instance, cancellationToken);
+            using var creationRoutine = routines.CreateAppPlatformVault();
+            await creationRoutine.InitAsync(cancellationToken);
+            creationRoutine.SetOptions(vaultOptions);
+
+            if (vaultFolder is IModifiableFolder modifiableFolder)
+            {
+                var readmeFile = await modifiableFolder.CreateFileAsync(Sdk.Constants.Vault.VAULT_README_FILENAME, true, cancellationToken);
+                await readmeFile.WriteAllTextAsync(Sdk.Constants.Vault.VAULT_README_MESSAGE, Encoding.UTF8, cancellationToken);
+            }
+
+            var unlockContract = await creationRoutine.FinalizeAsync(cancellationToken);
+            if (unlockContract is not IWrapper<KeyPair> { Inner: { } keyPair })
+                throw new InvalidOperationException("Could not retrieve the KeyPair from the unlock contract.");
+            
+            return (unlockContract, keyPair.DekKey, keyPair.MacKey);
+        }
+
         /// <inheritdoc/>
         public virtual async Task<IDisposable> UnlockAsync(IFolder vaultFolder, IKeyUsage passkey, CancellationToken cancellationToken = default)
         {
@@ -43,6 +64,17 @@ public virtual async Task<IDisposable> UnlockAsync(IFolder vaultFolder, IKeyUsag
             return await unlockRoutine.FinalizeAsync(cancellationToken);
         }
 
+        /// <inheritdoc/>
+        public virtual async Task<IDisposable> UnlockAppPlatformAsync(IFolder vaultFolder, IKeyUsage passkey, CancellationToken cancellationToken = default)
+        {
+            var routines = await VaultRoutines.CreateRoutinesAsync(vaultFolder, StreamSerializer.Instance, cancellationToken);
+            using var unlockRoutine = routines.UnlockAppPlatformVault();
+
+            await unlockRoutine.InitAsync(cancellationToken);
+            unlockRoutine.SetCredentials(passkey);
+            return await unlockRoutine.FinalizeAsync(cancellationToken);
+        }
+
         /// <inheritdoc/>
         public virtual async Task<IDisposable> RecoverAsync(IFolder vaultFolder, string encodedRecoveryKey, CancellationToken cancellationToken = default)
         {
diff --git a/src/Platforms/SecureFolderFS.UI/ViewModels/Authentication/AppPlatformCreationViewModel.cs b/src/Platforms/SecureFolderFS.UI/ViewModels/Authentication/AppPlatformCreationViewModel.cs
new file mode 100644
index 000000000..ff70a1454
--- /dev/null
+++ b/src/Platforms/SecureFolderFS.UI/ViewModels/Authentication/AppPlatformCreationViewModel.cs
@@ -0,0 +1,137 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using CommunityToolkit.Mvvm.ComponentModel;
+using SecureFolderFS.Core.Cryptography.Jwe;
+using SecureFolderFS.Sdk.AppPlatform;
+using SecureFolderFS.Sdk.Enums;
+using SecureFolderFS.Sdk.EventArguments;
+using SecureFolderFS.Sdk.ViewModels.Controls.Authentication;
+using SecureFolderFS.Shared;
+using SecureFolderFS.Shared.ComponentModel;
+using SecureFolderFS.Shared.Models;
+using SecureFolderFS.Shared.SecureStore;
+
+namespace SecureFolderFS.UI.ViewModels.Authentication
+{
+    public sealed partial class AppPlatformCreationViewModel : AuthenticationViewModel, IVaultOptionsProvider, IAppPlatformVaultRegistration
+    {
+        private AppPlatformClient? _client;
+
+        [ObservableProperty] private string? _ServerUrl;
+        [ObservableProperty] private bool _IsAuthenticated;
+
+        /// <inheritdoc/>
+        public override event EventHandler<EventArgs>? StateChanged;
+
+        /// <inheritdoc/>
+        public override event EventHandler<CredentialsProvidedEventArgs>? CredentialsProvided;
+
+        /// <inheritdoc/>
+        public override bool CanComplement { get; } = false;
+
+        /// <inheritdoc/>
+        public override AuthenticationStage Availability { get; } = AuthenticationStage.FirstStageOnly;
+
+        public AppPlatformCreationViewModel()
+            : base(Core.Constants.Vault.Authentication.AUTH_APP_PLATFORM)
+        {
+            Title = "App Platform";
+        }
+
+        /// <inheritdoc/>
+        public override Task RevokeAsync(string? id, CancellationToken cancellationToken = default)
+        {
+            return Task.FromException(new NotSupportedException());
+        }
+
+        /// <inheritdoc/>
+        public override Task<IResult<IKeyBytes>> EnrollAsync(string id, byte[]? data, CancellationToken cancellationToken = default)
+        {
+            return Task.FromException<IResult<IKeyBytes>>(new NotSupportedException());
+        }
+
+        /// <inheritdoc/>
+        public override Task<IResult<IKeyBytes>> AcquireAsync(string id, byte[]? data, CancellationToken cancellationToken = default)
+        {
+            return Task.FromException<IResult<IKeyBytes>>(new NotSupportedException());
+        }
+
+        /// <inheritdoc/>
+        protected override async Task ProvideCredentialsAsync(CancellationToken cancellationToken)
+        {
+            if (string.IsNullOrWhiteSpace(ServerUrl))
+                throw new InvalidOperationException("A server URL is required.");
+
+            var authProvider = DI.Service<IAppPlatformAuthProvider>();
+
+            _client?.Dispose();
+            _client = new AppPlatformClient(ServerUrl);
+
+            var authConfig = await _client.GetAuthConfigAsync(cancellationToken);
+            var accessToken = await authProvider.GetAccessTokenAsync(
+                authConfig.Authority, authConfig.ClientId, authConfig.Scopes, cancellationToken);
+            _client.SetAccessToken(accessToken);
+
+            var user = await _client.GetMeAsync(cancellationToken);
+            if (!user.IsSetupComplete || string.IsNullOrWhiteSpace(user.PublicKeyJwk))
+                throw new InvalidOperationException("Complete the App Platform first-time setup before creating a vault.");
+
+            IsAuthenticated = true;
+
+            var tcs = new TaskCompletionSource();
+            CredentialsProvided?.Invoke(this, new(ManagedKey.Empty, tcs));
+            await tcs.Task;
+        }
+
+        /// <inheritdoc/>
+        public VaultOptions AmendVaultOptions(VaultOptions options)
+        {
+            return options with
+            {
+                AppPlatform = new AppPlatformVaultOptions
+                {
+                    ServerUrl = ServerUrl!
+                }
+            };
+        }
+
+        /// <inheritdoc/>
+        public async Task RegisterVaultAsync(string vaultId, string? name, IKeyUsage dekKey, IKeyUsage macKey, CancellationToken cancellationToken = default)
+        {
+            if (_client is null)
+                throw new InvalidOperationException("The App Platform connection has not been authenticated.");
+
+            var user = await _client.GetMeAsync(cancellationToken);
+            if (string.IsNullOrWhiteSpace(user.PublicKeyJwk))
+                throw new InvalidOperationException("The user account is not set up.");
+
+            var vaultKeyJwe = GetVaultJweKey(user, dekKey, macKey);
+            await _client.RegisterVaultAsync(vaultId, name, vaultKeyJwe, description: null, cancellationToken);
+        }
+
+        private static unsafe string GetVaultJweKey(AppPlatformClient.UserInfo userInfo, IKeyUsage dekKey, IKeyUsage macKey)
+        {
+            return dekKey.UseKey(dek =>
+            {
+                fixed (byte* dekPtr = dek)
+                {
+                    var state = (dekPtr: (nint)dekPtr, dekLen: dek.Length);
+                    return macKey.UseKey(state, (mac, s) =>
+                    {
+                        var localDek = new ReadOnlySpan<byte>((byte*)s.dekPtr, s.dekLen);
+                        return JweHelper.EncryptVaultKey(localDek, mac, userInfo.PublicKeyJwk);
+                    });
+                }
+            });
+        }
+
+        /// <inheritdoc/>
+        public override void Dispose()
+        {
+            _client?.Dispose();
+            _client = null;
+            base.Dispose();
+        }
+    }
+}
diff --git a/src/Platforms/SecureFolderFS.Uno/Platforms/Desktop/ServiceImplementation/SkiaVaultCredentialsService.cs b/src/Platforms/SecureFolderFS.Uno/Platforms/Desktop/ServiceImplementation/SkiaVaultCredentialsService.cs
index d06020069..802e816c8 100644
--- a/src/Platforms/SecureFolderFS.Uno/Platforms/Desktop/ServiceImplementation/SkiaVaultCredentialsService.cs
+++ b/src/Platforms/SecureFolderFS.Uno/Platforms/Desktop/ServiceImplementation/SkiaVaultCredentialsService.cs
@@ -47,6 +47,9 @@ public override async IAsyncEnumerable<AuthenticationViewModel> GetCreationAsync
             // Device Link
             yield return new DeviceLinkCreationViewModel(vaultFolder, vaultId) { Icon = new ImageGlyph("\uE8EA") };
 
+            // App Platform
+            yield return new AppPlatformCreationViewModel() { Icon = new ImageGlyph("\uF69B") };
+
             await Task.CompletedTask;
         }
         
@@ -78,7 +81,7 @@ protected override async IAsyncEnumerable<AuthenticationViewModel> GetLoginAsync
                     Constants.Vault.Authentication.AUTH_DEVICE_LINK => new DeviceLinkLoginViewModel(vaultFolder, vaultId).WithInitAsync(cancellationToken),
                     
                     // App Platform
-                    Constants.Vault.Authentication.AUTH_APP_PLATFORM => new AppPlatformLoginViewModel(),
+                    Constants.Vault.Authentication.AUTH_APP_PLATFORM => new AppPlatformLoginViewModel(vaultFolder),
                     
                     _ => throw new NotSupportedException($"The authentication method '{item}' is not supported by the platform.")
                 };
diff --git a/src/Platforms/SecureFolderFS.Uno/Platforms/Windows/ServiceImplementation/WindowsVaultCredentialsService.cs b/src/Platforms/SecureFolderFS.Uno/Platforms/Windows/ServiceImplementation/WindowsVaultCredentialsService.cs
index e08b855d6..6cf7025d6 100644
--- a/src/Platforms/SecureFolderFS.Uno/Platforms/Windows/ServiceImplementation/WindowsVaultCredentialsService.cs
+++ b/src/Platforms/SecureFolderFS.Uno/Platforms/Windows/ServiceImplementation/WindowsVaultCredentialsService.cs
@@ -45,6 +45,9 @@ public override async IAsyncEnumerable<AuthenticationViewModel> GetCreationAsync
 
             // Device Link
             yield return new DeviceLinkCreationViewModel(vaultFolder, vaultId) { Icon = new ImageGlyph("\uE8EA") };
+
+            // App Platform
+            yield return new AppPlatformCreationViewModel() { Icon = new ImageGlyph("\uF69B") };
         }
 
         /// <inheritdoc/>
@@ -75,7 +78,7 @@ protected override async IAsyncEnumerable<AuthenticationViewModel> GetLoginAsync
                     Constants.Vault.Authentication.AUTH_DEVICE_LINK => new DeviceLinkLoginViewModel(vaultFolder, vaultId) { Icon = new ImageGlyph("\uE8EA") },
                     
                     // App Platform
-                    Constants.Vault.Authentication.AUTH_APP_PLATFORM => new AppPlatformLoginViewModel(),
+                    Constants.Vault.Authentication.AUTH_APP_PLATFORM => new AppPlatformLoginViewModel(vaultFolder),
 
                     _ => throw new NotSupportedException($"The authentication method '{item}' is not supported by the platform.")
                 };
diff --git a/src/Platforms/SecureFolderFS.Uno/TemplateSelectors/RegistrationTemplateSelector.cs b/src/Platforms/SecureFolderFS.Uno/TemplateSelectors/RegistrationTemplateSelector.cs
index a9765595f..026c8aad6 100644
--- a/src/Platforms/SecureFolderFS.Uno/TemplateSelectors/RegistrationTemplateSelector.cs
+++ b/src/Platforms/SecureFolderFS.Uno/TemplateSelectors/RegistrationTemplateSelector.cs
@@ -25,6 +25,8 @@ internal sealed class RegistrationTemplateSelector : BaseTemplateSelector<Observ
 
         public DataTemplate? DeviceLinkTemplate { get; set; }
 
+        public DataTemplate? AppPlatformTemplate { get; set; }
+
         protected override DataTemplate? SelectTemplateCore(ObservableObject? item, DependencyObject container)
         {
 #if __UNO_SKIA_MACOS__
@@ -41,6 +43,7 @@ internal sealed class RegistrationTemplateSelector : BaseTemplateSelector<Observ
                 MacOSBiometricsCreationViewModel => TouchIDTemplate,
 #endif
                 DeviceLinkCreationViewModel => DeviceLinkTemplate,
+                AppPlatformCreationViewModel => AppPlatformTemplate,
                 _ => base.SelectTemplateCore(item, container)
             };
         }
diff --git a/src/Platforms/SecureFolderFS.Uno/UserControls/LoginControl.xaml b/src/Platforms/SecureFolderFS.Uno/UserControls/LoginControl.xaml
index 6cc2f28b5..666f08c93 100644
--- a/src/Platforms/SecureFolderFS.Uno/UserControls/LoginControl.xaml
+++ b/src/Platforms/SecureFolderFS.Uno/UserControls/LoginControl.xaml
@@ -144,15 +144,19 @@
                 <FontIcon
                     HorizontalAlignment="Center"
                     FontSize="24"
-                    Glyph="&#xF69B;" />
+                    Glyph="&#xE753;" />
 
-                <!--  Info  -->
-                <InfoBar
+                <!--  Title  -->
+                <TextBlock HorizontalAlignment="Center" Text="Sign in with App Platform" />
+
+                <!--  Authenticate  -->
+                <Button
+                    Padding="24,6"
                     HorizontalAlignment="Center"
-                    IsClosable="False"
-                    IsOpen="True"
-                    Message="Authenticating with App Platform is not supported in this version. Please update SecureFolderFS."
-                    Severity="Warning" />
+                    Command="{x:Bind ProvideCredentialsCommand, Mode=OneWay}"
+                    Content="{l:ResourceString Rid=Authenticate}"
+                    Style="{ThemeResource AccentButtonStyle}"
+                    Visibility="{Binding Path=ProvideContinuationButton, ElementName=ThisLoginControl, Mode=OneWay, Converter={StaticResource BoolToVisibilityConverter}}" />
             </StackPanel>
         </DataTemplate>
 
diff --git a/src/Platforms/SecureFolderFS.Uno/UserControls/RegisterControl.xaml b/src/Platforms/SecureFolderFS.Uno/UserControls/RegisterControl.xaml
index 9680209b1..d0b67f70d 100644
--- a/src/Platforms/SecureFolderFS.Uno/UserControls/RegisterControl.xaml
+++ b/src/Platforms/SecureFolderFS.Uno/UserControls/RegisterControl.xaml
@@ -181,11 +181,40 @@
                     Style="{ThemeResource AccentButtonStyle}" />
             </StackPanel>
         </DataTemplate>
+
+        <!--  App Platform Template  -->
+        <DataTemplate x:Key="AppPlatformTemplate" x:DataType="vm:AppPlatformCreationViewModel">
+            <StackPanel Spacing="16">
+                <!--  Icon  -->
+                <FontIcon
+                    HorizontalAlignment="Center"
+                    FontSize="24"
+                    Glyph="&#xF69B;" />
+
+                <!--  Title  -->
+                <TextBlock HorizontalAlignment="Center" Text="Connect to App Platform" />
+
+                <!--  Server URL  -->
+                <TextBox
+                    Header="Server URL"
+                    PlaceholderText="https://"
+                    Text="{x:Bind ServerUrl, Mode=TwoWay}" />
+
+                <!--  Authenticate  -->
+                <Button
+                    Padding="24,6"
+                    HorizontalAlignment="Center"
+                    Command="{x:Bind ProvideCredentialsCommand, Mode=OneWay}"
+                    Content="{l:ResourceString Rid=Setup}"
+                    Style="{ThemeResource AccentButtonStyle}" />
+            </StackPanel>
+        </DataTemplate>
     </UserControl.Resources>
 
     <ContentControl HorizontalContentAlignment="Stretch" Content="{x:Bind CurrentViewModel, Mode=OneWay}">
         <ContentControl.ContentTemplateSelector>
             <ts:RegistrationTemplateSelector
+                AppPlatformTemplate="{StaticResource AppPlatformTemplate}"
                 DeviceLinkTemplate="{StaticResource DeviceLinkTemplate}"
                 KeyFileTemplate="{StaticResource KeyFileTemplate}"
                 PasswordTemplate="{StaticResource PasswordTemplate}"
diff --git a/src/Sdk/SecureFolderFS.Sdk/Services/IVaultManagerService.cs b/src/Sdk/SecureFolderFS.Sdk/Services/IVaultManagerService.cs
index 855fd006c..d8b4f7fd8 100644
--- a/src/Sdk/SecureFolderFS.Sdk/Services/IVaultManagerService.cs
+++ b/src/Sdk/SecureFolderFS.Sdk/Services/IVaultManagerService.cs
@@ -57,6 +57,25 @@ public interface IVaultManagerService
         // TODO: Consider using IVaultUnlockingModel
         //Task<IVaultUnlockingModel> GetUnlockingModelAsync(IFolder vaultFolder, CancellationToken cancellationToken = default);
 
+        /// <summary>
+        /// Creates a new App Platform vault. Generates DEK+MAC internally (no password, no keystore.cfg).
+        /// Returns the security wrapper and raw key bytes for encryption and upload to the server.
+        /// </summary>
+        /// <param name="vaultFolder">The folder where the vault should be created.</param>
+        /// <param name="vaultOptions">The required options to set for this vault (must have AppPlatform set).</param>
+        /// <param name="cancellationToken">A <see cref="CancellationToken"/> that cancels this action.</param>
+        /// <returns>A <see cref="Task"/> that represents the asynchronous operation. Value is a tuple of (unlockContract, dekKey, macKey).</returns>
+        Task<(IDisposable UnlockContract, IKeyUsage DekKey, IKeyUsage MacKey)> CreateAppPlatformAsync(IFolder vaultFolder, VaultOptions vaultOptions, CancellationToken cancellationToken = default);
+
+        /// <summary>
+        /// Unlocks an App Platform vault using the combined DEK+MAC key from the server.
+        /// </summary>
+        /// <param name="vaultFolder">The <see cref="IFolder"/> that represents the vault.</param>
+        /// <param name="passkey">The combined DEK‖MAC key (64 bytes) obtained from the server-brokered key chain.</param>
+        /// <param name="cancellationToken">A <see cref="CancellationToken"/> that cancels this action.</param>
+        /// <returns>A <see cref="Task"/> that represents the asynchronous operation. Value is <see cref="IDisposable"/> that represents the unlock contract.</returns>
+        Task<IDisposable> UnlockAppPlatformAsync(IFolder vaultFolder, IKeyUsage passkey, CancellationToken cancellationToken = default);
+
         Task ModifyComplementationAsync(IFolder vaultFolder, IDisposable unlockContract, ComplementationCredentials credentials, VaultOptions vaultOptions, CancellationToken cancellationToken = default);
 
         /// <summary>
diff --git a/src/Sdk/SecureFolderFS.Sdk/ViewModels/Controls/Authentication/IAppPlatformVaultRegistration.cs b/src/Sdk/SecureFolderFS.Sdk/ViewModels/Controls/Authentication/IAppPlatformVaultRegistration.cs
new file mode 100644
index 000000000..5f5839a4c
--- /dev/null
+++ b/src/Sdk/SecureFolderFS.Sdk/ViewModels/Controls/Authentication/IAppPlatformVaultRegistration.cs
@@ -0,0 +1,24 @@
+using System.Threading;
+using System.Threading.Tasks;
+using SecureFolderFS.Shared.ComponentModel;
+
+namespace SecureFolderFS.Sdk.ViewModels.Controls.Authentication
+{
+    /// <summary>
+    /// Implemented by creation authentication view models that register the newly created
+    /// vault key material with an App Platform server.
+    /// </summary>
+    public interface IAppPlatformVaultRegistration
+    {
+        /// <summary>
+        /// Encrypts and uploads the vault key (DEK + MAC) to the App Platform server.
+        /// </summary>
+        /// <param name="vaultId">The unique identifier of the vault.</param>
+        /// <param name="name">An optional human-friendly display name for the vault.</param>
+        /// <param name="dekKey">The raw Data Encryption Key. Caller retains ownership.</param>
+        /// <param name="macKey">The raw Message Authentication Code key. Caller retains ownership.</param>
+        /// <param name="cancellationToken">A <see cref="CancellationToken"/> that cancels this action.</param>
+        /// <returns>A <see cref="Task"/> that represents the asynchronous operation.</returns>
+        Task RegisterVaultAsync(string vaultId, string? name, IKeyUsage dekKey, IKeyUsage macKey, CancellationToken cancellationToken = default);
+    }
+}
diff --git a/src/Sdk/SecureFolderFS.Sdk/ViewModels/Controls/LoginViewModel.cs b/src/Sdk/SecureFolderFS.Sdk/ViewModels/Controls/LoginViewModel.cs
index 6a1865844..db2ef0e16 100644
--- a/src/Sdk/SecureFolderFS.Sdk/ViewModels/Controls/LoginViewModel.cs
+++ b/src/Sdk/SecureFolderFS.Sdk/ViewModels/Controls/LoginViewModel.cs
@@ -282,7 +282,10 @@ private async Task<bool> TryUnlockAsync(CancellationToken cancellationToken = de
         {
             try
             {
-                var unlockContract = await VaultManagerService.UnlockAsync(_vaultFolder, _keySequence, cancellationToken);
+                var isAppPlatform = _authenticatedMethodIds.Contains("app_platform"); // TODO: Avoid arbitrary authId constants in Sdk
+                var unlockContract = isAppPlatform
+                    ? await VaultManagerService.UnlockAppPlatformAsync(_vaultFolder, _keySequence, cancellationToken)
+                    : await VaultManagerService.UnlockAsync(_vaultFolder, _keySequence, cancellationToken);
                 _vaultOptions ??= await VaultService.GetVaultOptionsAsync(_vaultFolder, cancellationToken);
                 if (string.IsNullOrWhiteSpace(_vaultOptions.VaultId))
                 {
diff --git a/src/Sdk/SecureFolderFS.Sdk/ViewModels/Views/Wizard/CredentialsWizardViewModel.cs b/src/Sdk/SecureFolderFS.Sdk/ViewModels/Views/Wizard/CredentialsWizardViewModel.cs
index dfe906ae9..f8b067256 100644
--- a/src/Sdk/SecureFolderFS.Sdk/ViewModels/Views/Wizard/CredentialsWizardViewModel.cs
+++ b/src/Sdk/SecureFolderFS.Sdk/ViewModels/Views/Wizard/CredentialsWizardViewModel.cs
@@ -3,6 +3,7 @@
 using System.Collections.ObjectModel;
 using System.ComponentModel;
 using System.Linq;
+using System.Security.Cryptography;
 using System.Threading;
 using System.Threading.Tasks;
 using CommunityToolkit.Mvvm.ComponentModel;
@@ -96,6 +97,25 @@ public async Task<IResult> TryContinueAsync(CancellationToken cancellationToken)
                 if (RegisterViewModel.CurrentViewModel is IVaultOptionsProvider optionsProvider)
                     vaultOptions = optionsProvider.AmendVaultOptions(vaultOptions);
 
+                // App Platform vaults generate their own key material and register it with the server
+                if (RegisterViewModel.CurrentViewModel is IAppPlatformVaultRegistration appPlatformRegistration)
+                {
+                    var (appPlatformContract, dekKey, macKey) = await VaultManagerService.CreateAppPlatformAsync(
+                        modifiableFolder,
+                        vaultOptions,
+                        cancellationToken);
+
+                    // Copies are created because returned DekKey and MacKey are part of the contract
+                    // If they were disposed instead, the Recovery Key screen wouldn't show any keys
+                    using var dekCopy = dekKey.CreateCopy();
+                    using var macCopy = macKey.CreateCopy();
+
+                    var vaultName = VaultModel.DataModel.DisplayName ?? VaultModel.VaultFolder?.Name;
+                    await appPlatformRegistration.RegisterVaultAsync(_vaultId, vaultName, dekKey, macKey, cancellationToken);
+
+                    return new CredentialsResult(appPlatformContract, _vaultId);
+                }
+
                 // Create the vault
                 var unlockContract = await VaultManagerService.CreateAsync(
                     modifiableFolder,
diff --git a/src/Shared/SecureFolderFS.Shared/Models/AppPlatformVaultOptions.cs b/src/Shared/SecureFolderFS.Shared/Models/AppPlatformVaultOptions.cs
index c6861a165..baa796ed7 100644
--- a/src/Shared/SecureFolderFS.Shared/Models/AppPlatformVaultOptions.cs
+++ b/src/Shared/SecureFolderFS.Shared/Models/AppPlatformVaultOptions.cs
@@ -11,18 +11,6 @@ public sealed record class AppPlatformVaultOptions
     {
         [JsonPropertyName("serverUrl")]
         public required string ServerUrl { get; init; }
-
-        [JsonPropertyName("vaultResource")]
-        public required string VaultResource { get; init; }
-
-        [JsonPropertyName("organization")]
-        public string? Organization { get; init; }
-
-        [JsonPropertyName("accessTokenEndpoint")]
-        public string AccessTokenEndpoint { get; init; } = "/api/app-platform/access-token";
-
-        [JsonPropertyName("deviceRegistrationEndpoint")]
-        public string DeviceRegistrationEndpoint { get; init; } = "/api/app-platform/devices";
     }
 }
 

From 2d21278affe552b30e3dff7a34bd928939a0ec45 Mon Sep 17 00:00:00 2001
From: d2dyno <53011783+d2dyno1@users.noreply.github.com>
Date: Mon, 1 Jun 2026 00:27:40 +0200
Subject: [PATCH 2/3] Added APP_PLATFORM_PRESENT compile constant

---
 SecureFolderFS.slnx                           |  1 +
 src/Platforms/Directory.Build.props           | 13 +++++++++++
 .../SecureFolderFS.UI.csproj                  |  4 ++++
 .../AppPlatformCreationViewModel.cs           |  4 +++-
 .../Desktop/Helpers/SkiaLifecycleHelper.cs    |  7 ++++++
 .../SkiaVaultCredentialsService.cs            |  4 ++++
 .../Windows/Helpers/WindowsLifecycleHelper.cs |  8 +++++++
 .../WindowsVaultCredentialsService.cs         |  4 ++++
 .../SecureFolderFS.Uno.csproj                 |  4 ++--
 .../ComponentModel/IOidcProvider.cs           | 22 +++++++++++++++++++
 10 files changed, 68 insertions(+), 3 deletions(-)
 create mode 100644 src/Shared/SecureFolderFS.Shared/ComponentModel/IOidcProvider.cs

diff --git a/SecureFolderFS.slnx b/SecureFolderFS.slnx
index f7d1d4207..e94443dec 100644
--- a/SecureFolderFS.slnx
+++ b/SecureFolderFS.slnx
@@ -83,6 +83,7 @@
     </Project>
   </Folder>
   <Folder Name="/src/Sdk/">
+    <Project Path="src/Sdk/SecureFolderFS.Sdk.AppPlatform/SecureFolderFS.Sdk.AppPlatform.csproj" />
     <Project Path="src/Sdk/SecureFolderFS.Sdk.Accounts/SecureFolderFS.Sdk.Accounts.csproj" />
     <Project Path="src/Sdk/SecureFolderFS.Sdk.DeviceLink/SecureFolderFS.Sdk.DeviceLink.csproj" />
     <Project Path="src/Sdk/SecureFolderFS.Sdk.Dropbox/SecureFolderFS.Sdk.Dropbox.csproj" />
diff --git a/src/Platforms/Directory.Build.props b/src/Platforms/Directory.Build.props
index 2e6891c2c..0ced37112 100644
--- a/src/Platforms/Directory.Build.props
+++ b/src/Platforms/Directory.Build.props
@@ -31,6 +31,19 @@
     <IncludeSourceRevisionInInformationalVersion Condition="'$(Configuration)'=='Debug'">false</IncludeSourceRevisionInInformationalVersion>
   </PropertyGroup>
 
+  <!-- Detect App Platform SDK -->
+  <PropertyGroup>
+    <AppPlatformSdkPath>
+      $(MSBuildThisFileDirectory)..\Sdk\SecureFolderFS.Sdk.AppPlatform\SecureFolderFS.Sdk.AppPlatform.csproj
+    </AppPlatformSdkPath>
+  </PropertyGroup>
+
+  <PropertyGroup Condition="Exists('$(AppPlatformSdkPath)')">
+    <DefineConstants>
+      $(DefineConstants);APP_PLATFORM_PRESENT
+    </DefineConstants>
+  </PropertyGroup>
+
   <Choose>
     <When Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'android'">
       <PropertyGroup>
diff --git a/src/Platforms/SecureFolderFS.UI/SecureFolderFS.UI.csproj b/src/Platforms/SecureFolderFS.UI/SecureFolderFS.UI.csproj
index d20e56ab8..1177b5d5e 100644
--- a/src/Platforms/SecureFolderFS.UI/SecureFolderFS.UI.csproj
+++ b/src/Platforms/SecureFolderFS.UI/SecureFolderFS.UI.csproj
@@ -4,6 +4,7 @@
     <TargetFramework>net10.0</TargetFramework>
     <ImplicitUsings>disable</ImplicitUsings>
     <Nullable>enable</Nullable>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
   </PropertyGroup>
 
   <!-- Packages -->
@@ -18,6 +19,9 @@
     <ProjectReference Include="..\..\Core\SecureFolderFS.Core\SecureFolderFS.Core.csproj" />
     <ProjectReference Include="..\..\Sdk\SecureFolderFS.Sdk.DeviceLink\SecureFolderFS.Sdk.DeviceLink.csproj" />
     <ProjectReference Include="..\..\Sdk\SecureFolderFS.Sdk\SecureFolderFS.Sdk.csproj" />
+  
+    <!-- Detect App Platform SDK -->
+    <ProjectReference Include="$(AppPlatformSdkPath)" Condition="Exists('$(AppPlatformSdkPath)')" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/Platforms/SecureFolderFS.UI/ViewModels/Authentication/AppPlatformCreationViewModel.cs b/src/Platforms/SecureFolderFS.UI/ViewModels/Authentication/AppPlatformCreationViewModel.cs
index ff70a1454..0012d1633 100644
--- a/src/Platforms/SecureFolderFS.UI/ViewModels/Authentication/AppPlatformCreationViewModel.cs
+++ b/src/Platforms/SecureFolderFS.UI/ViewModels/Authentication/AppPlatformCreationViewModel.cs
@@ -1,3 +1,4 @@
+#if APP_PLATFORM_PRESENT
 using System;
 using System.Threading;
 using System.Threading.Tasks;
@@ -63,7 +64,7 @@ protected override async Task ProvideCredentialsAsync(CancellationToken cancella
             if (string.IsNullOrWhiteSpace(ServerUrl))
                 throw new InvalidOperationException("A server URL is required.");
 
-            var authProvider = DI.Service<IAppPlatformAuthProvider>();
+            var authProvider = DI.Service<IOidcProvider>();
 
             _client?.Dispose();
             _client = new AppPlatformClient(ServerUrl);
@@ -135,3 +136,4 @@ public override void Dispose()
         }
     }
 }
+#endif
diff --git a/src/Platforms/SecureFolderFS.Uno/Platforms/Desktop/Helpers/SkiaLifecycleHelper.cs b/src/Platforms/SecureFolderFS.Uno/Platforms/Desktop/Helpers/SkiaLifecycleHelper.cs
index 923846ef1..7bab2a3a0 100644
--- a/src/Platforms/SecureFolderFS.Uno/Platforms/Desktop/Helpers/SkiaLifecycleHelper.cs
+++ b/src/Platforms/SecureFolderFS.Uno/Platforms/Desktop/Helpers/SkiaLifecycleHelper.cs
@@ -13,6 +13,10 @@
 using SecureFolderFS.Uno.Extensions;
 using SecureFolderFS.Uno.Platforms.Desktop.ServiceImplementation;
 using AddService = Microsoft.Extensions.DependencyInjection.ServiceCollectionServiceExtensions;
+#if APP_PLATFORM_PRESENT
+using SecureFolderFS.Sdk.AppPlatform;
+using SecureFolderFS.Shared.ComponentModel;
+#endif
 
 namespace SecureFolderFS.Uno.Platforms.Desktop.Helpers
 {
@@ -65,6 +69,9 @@ protected override IServiceCollection ConfigureServices(IModifiableFolder settin
                     .Override<ILocalizationService, ResourceLocalizationService>(AddService.AddSingleton)
                     .Override<IVaultFileSystemService, SkiaVaultFileSystemService>(AddService.AddSingleton)
                     .Override<IVaultCredentialsService, SkiaVaultCredentialsService>(AddService.AddSingleton)
+#if APP_PLATFORM_PRESENT
+                    .Override<IOidcProvider, BrowserAuthProvider>(AddService.AddSingleton)
+#endif
 
                     .WithUnoServices(settingsFolder)
                 ;
diff --git a/src/Platforms/SecureFolderFS.Uno/Platforms/Desktop/ServiceImplementation/SkiaVaultCredentialsService.cs b/src/Platforms/SecureFolderFS.Uno/Platforms/Desktop/ServiceImplementation/SkiaVaultCredentialsService.cs
index 802e816c8..c8bdd9b62 100644
--- a/src/Platforms/SecureFolderFS.Uno/Platforms/Desktop/ServiceImplementation/SkiaVaultCredentialsService.cs
+++ b/src/Platforms/SecureFolderFS.Uno/Platforms/Desktop/ServiceImplementation/SkiaVaultCredentialsService.cs
@@ -47,8 +47,10 @@ public override async IAsyncEnumerable<AuthenticationViewModel> GetCreationAsync
             // Device Link
             yield return new DeviceLinkCreationViewModel(vaultFolder, vaultId) { Icon = new ImageGlyph("\uE8EA") };
 
+#if APP_PLATFORM_PRESENT
             // App Platform
             yield return new AppPlatformCreationViewModel() { Icon = new ImageGlyph("\uF69B") };
+#endif
 
             await Task.CompletedTask;
         }
@@ -80,8 +82,10 @@ protected override async IAsyncEnumerable<AuthenticationViewModel> GetLoginAsync
                     // Device Link
                     Constants.Vault.Authentication.AUTH_DEVICE_LINK => new DeviceLinkLoginViewModel(vaultFolder, vaultId).WithInitAsync(cancellationToken),
                     
+#if APP_PLATFORM_PRESENT
                     // App Platform
                     Constants.Vault.Authentication.AUTH_APP_PLATFORM => new AppPlatformLoginViewModel(vaultFolder),
+#endif
                     
                     _ => throw new NotSupportedException($"The authentication method '{item}' is not supported by the platform.")
                 };
diff --git a/src/Platforms/SecureFolderFS.Uno/Platforms/Windows/Helpers/WindowsLifecycleHelper.cs b/src/Platforms/SecureFolderFS.Uno/Platforms/Windows/Helpers/WindowsLifecycleHelper.cs
index 26d1bfef5..fb2dd7843 100644
--- a/src/Platforms/SecureFolderFS.Uno/Platforms/Windows/Helpers/WindowsLifecycleHelper.cs
+++ b/src/Platforms/SecureFolderFS.Uno/Platforms/Windows/Helpers/WindowsLifecycleHelper.cs
@@ -13,6 +13,10 @@
 using Windows.Storage;
 using SecureFolderFS.Shared.Extensions;
 using AddService = Microsoft.Extensions.DependencyInjection.ServiceCollectionServiceExtensions;
+#if APP_PLATFORM_PRESENT
+using SecureFolderFS.Sdk.AppPlatform;
+using SecureFolderFS.Shared.ComponentModel;
+#endif
 
 namespace SecureFolderFS.Uno.Platforms.Windows.Helpers
 {
@@ -54,6 +58,10 @@ protected override IServiceCollection ConfigureServices(IModifiableFolder settin
                 .Override<IApplicationService, WindowsApplicationService>(AddService.AddSingleton)
                 .Override<IVaultFileSystemService, WindowsVaultFileSystemService>(AddService.AddSingleton)
                 .Override<IVaultCredentialsService, WindowsVaultCredentialsService>(AddService.AddSingleton)
+                
+#if APP_PLATFORM_PRESENT
+                .Override<IOidcProvider, BrowserAuthProvider>(AddService.AddSingleton)
+#endif
 
                 // IIapService, IUpdateService
 #if DEBUG || UNPACKAGED
diff --git a/src/Platforms/SecureFolderFS.Uno/Platforms/Windows/ServiceImplementation/WindowsVaultCredentialsService.cs b/src/Platforms/SecureFolderFS.Uno/Platforms/Windows/ServiceImplementation/WindowsVaultCredentialsService.cs
index 6cf7025d6..a3b76bf77 100644
--- a/src/Platforms/SecureFolderFS.Uno/Platforms/Windows/ServiceImplementation/WindowsVaultCredentialsService.cs
+++ b/src/Platforms/SecureFolderFS.Uno/Platforms/Windows/ServiceImplementation/WindowsVaultCredentialsService.cs
@@ -46,8 +46,10 @@ public override async IAsyncEnumerable<AuthenticationViewModel> GetCreationAsync
             // Device Link
             yield return new DeviceLinkCreationViewModel(vaultFolder, vaultId) { Icon = new ImageGlyph("\uE8EA") };
 
+#if APP_PLATFORM_PRESENT
             // App Platform
             yield return new AppPlatformCreationViewModel() { Icon = new ImageGlyph("\uF69B") };
+#endif
         }
 
         /// <inheritdoc/>
@@ -77,8 +79,10 @@ protected override async IAsyncEnumerable<AuthenticationViewModel> GetLoginAsync
                     // Device Link
                     Constants.Vault.Authentication.AUTH_DEVICE_LINK => new DeviceLinkLoginViewModel(vaultFolder, vaultId) { Icon = new ImageGlyph("\uE8EA") },
                     
+#if APP_PLATFORM_PRESENT
                     // App Platform
                     Constants.Vault.Authentication.AUTH_APP_PLATFORM => new AppPlatformLoginViewModel(vaultFolder),
+#endif
 
                     _ => throw new NotSupportedException($"The authentication method '{item}' is not supported by the platform.")
                 };
diff --git a/src/Platforms/SecureFolderFS.Uno/SecureFolderFS.Uno.csproj b/src/Platforms/SecureFolderFS.Uno/SecureFolderFS.Uno.csproj
index 98ff4b9fb..9056065f9 100644
--- a/src/Platforms/SecureFolderFS.Uno/SecureFolderFS.Uno.csproj
+++ b/src/Platforms/SecureFolderFS.Uno/SecureFolderFS.Uno.csproj
@@ -57,7 +57,7 @@
     <!-- Skia Desktop -->
     <When Condition="'$(TargetFramework)'=='net10.0-desktop'">
       <PropertyGroup>
-        <DefineConstants>HAS_UNO_SKIA</DefineConstants>
+        <DefineConstants>$(DefineConstants);HAS_UNO_SKIA</DefineConstants>
       </PropertyGroup>
 
       <ItemGroup>
@@ -153,7 +153,7 @@
 
       <!-- Define UNPACKAGED constant -->
       <PropertyGroup Condition="'$(WindowsPackageType)' == 'None'">
-        <DefineConstants>UNPACKAGED</DefineConstants>
+        <DefineConstants>$(DefineConstants);UNPACKAGED</DefineConstants>
       </PropertyGroup>
     </When>
   </Choose>
diff --git a/src/Shared/SecureFolderFS.Shared/ComponentModel/IOidcProvider.cs b/src/Shared/SecureFolderFS.Shared/ComponentModel/IOidcProvider.cs
new file mode 100644
index 000000000..caed37172
--- /dev/null
+++ b/src/Shared/SecureFolderFS.Shared/ComponentModel/IOidcProvider.cs
@@ -0,0 +1,22 @@
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace SecureFolderFS.Shared.ComponentModel
+{
+    /// <summary>
+    /// Provides OAuth2/OIDC authentication to obtain access tokens for a server.
+    /// </summary>
+    public interface IOidcProvider
+    {
+        /// <summary>
+        /// Authenticates the user and returns a valid access token.
+        /// </summary>
+        /// <param name="authority">The OIDC authority URL.</param>
+        /// <param name="clientId">The OAuth2 client ID.</param>
+        /// <param name="scopes">The OAuth2 scopes to request.</param>
+        /// <param name="cancellationToken">Cancellation token.</param>
+        /// <returns>A <see cref="Task"/> that represents the asynchronous operation. Value is a valid Bearer access token.</returns>
+        Task<string> GetAccessTokenAsync(string authority, string clientId, IReadOnlyList<string> scopes, CancellationToken cancellationToken = default);
+    }
+}

From 2c88472e64a64fadb727b98ea8a7acf08b3e47b2 Mon Sep 17 00:00:00 2001
From: d2dyno <53011783+d2dyno1@users.noreply.github.com>
Date: Mon, 1 Jun 2026 00:53:24 +0200
Subject: [PATCH 3/3] Added missing components

---
 .../Jwe/AccountKeyHelper.cs                   |  77 +++++++++
 .../Jwe/EcKeyHelper.cs                        | 159 ++++++++++++++++++
 .../Jwe/JweHelper.cs                          | 108 ++++++++++++
 src/Platforms/Directory.Packages.props        |   2 +
 .../AppPlatformLoginViewModel.cs              | 131 ++++++++++++++-
 5 files changed, 472 insertions(+), 5 deletions(-)
 create mode 100644 src/Core/SecureFolderFS.Core.Cryptography/Jwe/AccountKeyHelper.cs
 create mode 100644 src/Core/SecureFolderFS.Core.Cryptography/Jwe/EcKeyHelper.cs
 create mode 100644 src/Core/SecureFolderFS.Core.Cryptography/Jwe/JweHelper.cs

diff --git a/src/Core/SecureFolderFS.Core.Cryptography/Jwe/AccountKeyHelper.cs b/src/Core/SecureFolderFS.Core.Cryptography/Jwe/AccountKeyHelper.cs
new file mode 100644
index 000000000..61a9febe1
--- /dev/null
+++ b/src/Core/SecureFolderFS.Core.Cryptography/Jwe/AccountKeyHelper.cs
@@ -0,0 +1,77 @@
+using System;
+using System.Security.Cryptography;
+using Jose;
+
+namespace SecureFolderFS.Core.Cryptography.Jwe
+{
+    /// <summary>
+    /// Provides PBES2-based JWE operations for Account Key (passphrase) wrapping of EC private keys.
+    /// Used to bootstrap new devices when no device-specific JWE exists yet.
+    /// </summary>
+    public static class AccountKeyHelper
+    {
+        /// <summary>
+        /// Wraps an EC private key (in DER format) under a user-provided passphrase using PBES2-HS256+A128KW / A256GCM.
+        /// </summary>
+        /// <param name="privateKeyBytes">The EC private key bytes (DER-encoded) to wrap.</param>
+        /// <param name="passphrase">The user-provided Account Key passphrase.</param>
+        /// <returns>A JWE compact serialization string containing the encrypted private key.</returns>
+        public static string Wrap(byte[] privateKeyBytes, string passphrase)
+        {
+            return JWT.EncodeBytes(privateKeyBytes, passphrase, JweAlgorithm.PBES2_HS256_A128KW, JweEncryption.A256GCM);
+        }
+
+        /// <summary>
+        /// Unwraps an EC private key from a PBES2-protected JWE using the Account Key passphrase.
+        /// </summary>
+        /// <param name="jweCompact">The JWE compact serialization containing the wrapped private key.</param>
+        /// <param name="passphrase">The user-provided Account Key passphrase.</param>
+        /// <returns>The EC private key bytes (DER-encoded).</returns>
+        public static byte[] Unwrap(string jweCompact, string passphrase)
+        {
+            return JWT.DecodeBytes(jweCompact, passphrase, JweAlgorithm.PBES2_HS256_A128KW, JweEncryption.A256GCM);
+        }
+
+        /// <summary>
+        /// Wraps a user's EC private key for Account Key bootstrap.
+        /// The private key is stored in JWK format inside the JWE for cross-platform compatibility.
+        /// </summary>
+        /// <param name="userPrivateKey">The user's EC private key to wrap.</param>
+        /// <param name="passphrase">The user-provided Account Key passphrase.</param>
+        /// <returns>A JWE compact serialization containing the encrypted user private key (as JWK).</returns>
+        public static string WrapUserKey(ECDiffieHellman userPrivateKey, string passphrase)
+        {
+            var privateKeyJwk = EcKeyHelper.ExportPrivateKeyJwk(userPrivateKey);
+            var privateKeyBytes = System.Text.Encoding.UTF8.GetBytes(privateKeyJwk);
+            try
+            {
+                return Wrap(privateKeyBytes, passphrase);
+            }
+            finally
+            {
+                CryptographicOperations.ZeroMemory(privateKeyBytes);
+            }
+        }
+
+        /// <summary>
+        /// Unwraps a user's EC private key from an Account Key-protected JWE.
+        /// Expects the JWE to contain the private key in JWK format.
+        /// </summary>
+        /// <param name="jweCompact">The JWE compact serialization containing the wrapped user private key.</param>
+        /// <param name="passphrase">The user-provided Account Key passphrase.</param>
+        /// <returns>An <see cref="ECDiffieHellman"/> instance with the decrypted user private key.</returns>
+        public static ECDiffieHellman UnwrapUserKey(string jweCompact, string passphrase)
+        {
+            var privateKeyBytes = Unwrap(jweCompact, passphrase);
+            try
+            {
+                var jwk = System.Text.Encoding.UTF8.GetString(privateKeyBytes);
+                return EcKeyHelper.ImportPrivateKeyJwk(jwk);
+            }
+            finally
+            {
+                CryptographicOperations.ZeroMemory(privateKeyBytes);
+            }
+        }
+    }
+}
diff --git a/src/Core/SecureFolderFS.Core.Cryptography/Jwe/EcKeyHelper.cs b/src/Core/SecureFolderFS.Core.Cryptography/Jwe/EcKeyHelper.cs
new file mode 100644
index 000000000..33bda9aa8
--- /dev/null
+++ b/src/Core/SecureFolderFS.Core.Cryptography/Jwe/EcKeyHelper.cs
@@ -0,0 +1,159 @@
+using System;
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json;
+
+namespace SecureFolderFS.Core.Cryptography.Jwe
+{
+    /// <summary>
+    /// Provides EC P-256 key pair generation, JWK serialization, and import/export operations.
+    /// </summary>
+    public static class EcKeyHelper
+    {
+        /// <summary>
+        /// Generates a new EC P-256 key pair for ECDH key agreement.
+        /// </summary>
+        public static ECDiffieHellman GenerateKeyPair()
+        {
+            return ECDiffieHellman.Create(ECCurve.NamedCurves.nistP256);
+        }
+
+        /// <summary>
+        /// Exports the public key of an <see cref="ECDiffieHellman"/> instance as a JWK JSON string.
+        /// </summary>
+        /// <param name="key">The key pair to export the public component from.</param>
+        /// <returns>A JSON string in JWK format containing the public key.</returns>
+        public static string ExportPublicKeyJwk(ECDiffieHellman key)
+        {
+            var parameters = key.ExportParameters(includePrivateParameters: false);
+            return SerializeJwk(parameters, includePrivate: false);
+        }
+
+        /// <summary>
+        /// Exports the full key pair (public + private) as a JWK JSON string.
+        /// </summary>
+        /// <param name="key">The key pair to export.</param>
+        /// <returns>A JSON string in JWK format containing both public and private key components.</returns>
+        public static string ExportPrivateKeyJwk(ECDiffieHellman key)
+        {
+            var parameters = key.ExportParameters(includePrivateParameters: true);
+            return SerializeJwk(parameters, includePrivate: true);
+        }
+
+        /// <summary>
+        /// Exports the private key as a DER-encoded byte array suitable for secure storage.
+        /// </summary>
+        /// <param name="key">The key pair to export the private key from.</param>
+        /// <returns>A byte array containing the private key in SEC1/ECPrivateKey format.</returns>
+        public static byte[] ExportPrivateKeyBytes(ECDiffieHellman key)
+        {
+            return key.ExportECPrivateKey();
+        }
+
+        /// <summary>
+        /// Imports an EC P-256 public key from a JWK JSON string.
+        /// </summary>
+        /// <param name="jwk">The JWK JSON string containing the public key.</param>
+        /// <returns>An <see cref="ECDiffieHellman"/> instance with only the public key component.</returns>
+        public static ECDiffieHellman ImportPublicKeyJwk(string jwk)
+        {
+            var parameters = DeserializeJwk(jwk);
+            parameters.D = null;
+            var ecdh = ECDiffieHellman.Create();
+            ecdh.ImportParameters(parameters);
+            return ecdh;
+        }
+
+        /// <summary>
+        /// Imports an EC P-256 key pair from a JWK JSON string that includes the private key.
+        /// </summary>
+        /// <param name="jwk">The JWK JSON string containing both public and private key components.</param>
+        /// <returns>An <see cref="ECDiffieHellman"/> instance with both public and private key components.</returns>
+        public static ECDiffieHellman ImportPrivateKeyJwk(string jwk)
+        {
+            var parameters = DeserializeJwk(jwk);
+            var ecdh = ECDiffieHellman.Create();
+            ecdh.ImportParameters(parameters);
+            return ecdh;
+        }
+
+        /// <summary>
+        /// Imports a private key from a DER-encoded byte array (SEC1/ECPrivateKey format).
+        /// </summary>
+        /// <param name="privateKeyBytes">The DER-encoded private key bytes.</param>
+        /// <returns>An <see cref="ECDiffieHellman"/> instance with the imported private key.</returns>
+        public static ECDiffieHellman ImportPrivateKeyBytes(byte[] privateKeyBytes)
+        {
+            var ecdh = ECDiffieHellman.Create();
+            ecdh.ImportECPrivateKey(privateKeyBytes, out _);
+            return ecdh;
+        }
+
+        private static string SerializeJwk(ECParameters parameters, bool includePrivate)
+        {
+            using var stream = new System.IO.MemoryStream();
+            using (var writer = new Utf8JsonWriter(stream))
+            {
+                writer.WriteStartObject();
+                writer.WriteString("kty", "EC");
+                writer.WriteString("crv", "P-256");
+                writer.WriteString("x", Base64UrlEncode(parameters.Q.X!));
+                writer.WriteString("y", Base64UrlEncode(parameters.Q.Y!));
+
+                if (includePrivate && parameters.D is not null)
+                    writer.WriteString("d", Base64UrlEncode(parameters.D));
+
+                writer.WriteEndObject();
+            }
+
+            return Encoding.UTF8.GetString(stream.ToArray());
+        }
+
+        private static ECParameters DeserializeJwk(string jwk)
+        {
+            using var doc = JsonDocument.Parse(jwk);
+            var root = doc.RootElement;
+
+            var kty = root.GetProperty("kty").GetString();
+            var crv = root.GetProperty("crv").GetString();
+
+            if (kty != "EC" || crv != "P-256")
+                throw new CryptographicException($"Unsupported JWK key type or curve: kty={kty}, crv={crv}");
+
+            var parameters = new ECParameters
+            {
+                Curve = ECCurve.NamedCurves.nistP256,
+                Q = new ECPoint
+                {
+                    X = Base64UrlDecode(root.GetProperty("x").GetString()!),
+                    Y = Base64UrlDecode(root.GetProperty("y").GetString()!)
+                }
+            };
+
+            if (root.TryGetProperty("d", out var dElement) && dElement.GetString() is { } dValue)
+                parameters.D = Base64UrlDecode(dValue);
+
+            return parameters;
+        }
+
+        private static string Base64UrlEncode(byte[] data)
+        {
+            return Convert.ToBase64String(data)
+                .TrimEnd('=')
+                .Replace('+', '-')
+                .Replace('/', '_');
+        }
+
+        private static byte[] Base64UrlDecode(string base64Url)
+        {
+            var s = base64Url.Replace('-', '+').Replace('_', '/');
+            switch (s.Length % 4)
+            {
+                case 2: s += "=="; break;
+                case 3: s += "="; break;
+            }
+
+            return Convert.FromBase64String(s);
+        }
+    }
+}
diff --git a/src/Core/SecureFolderFS.Core.Cryptography/Jwe/JweHelper.cs b/src/Core/SecureFolderFS.Core.Cryptography/Jwe/JweHelper.cs
new file mode 100644
index 000000000..5afa2c25e
--- /dev/null
+++ b/src/Core/SecureFolderFS.Core.Cryptography/Jwe/JweHelper.cs
@@ -0,0 +1,108 @@
+using System;
+using System.Security.Cryptography;
+using Jose;
+
+namespace SecureFolderFS.Core.Cryptography.Jwe
+{
+    /// <summary>
+    /// Provides JWE encryption/decryption using ECDH-ES+A256KW key agreement with A256GCM content encryption.
+    /// </summary>
+    public static class JweHelper
+    {
+        /// <summary>
+        /// Encrypts a byte payload for a recipient's EC P-256 public key, producing a JWE compact serialization.
+        /// </summary>
+        /// <param name="plaintext">The plaintext bytes to encrypt.</param>
+        /// <param name="recipientPublicKey">The recipient's EC P-256 public key (only the public component is used).</param>
+        /// <returns>A JWE compact serialization string.</returns>
+        public static string Encrypt(byte[] plaintext, ECDiffieHellman recipientPublicKey)
+        {
+            return JWT.EncodeBytes(plaintext, recipientPublicKey, JweAlgorithm.ECDH_ES_A256KW, JweEncryption.A256GCM);
+        }
+
+        /// <summary>
+        /// Encrypts a byte payload for a recipient identified by their public key JWK string.
+        /// </summary>
+        /// <param name="plaintext">The plaintext bytes to encrypt.</param>
+        /// <param name="recipientPublicKeyJwk">The recipient's public key as a JWK JSON string.</param>
+        /// <returns>A JWE compact serialization string.</returns>
+        public static string Encrypt(byte[] plaintext, string recipientPublicKeyJwk)
+        {
+            using var publicKey = EcKeyHelper.ImportPublicKeyJwk(recipientPublicKeyJwk);
+            return Encrypt(plaintext, publicKey);
+        }
+
+        /// <summary>
+        /// Decrypts a JWE compact serialization using the recipient's EC P-256 private key.
+        /// </summary>
+        /// <param name="jweCompact">The JWE compact serialization string to decrypt.</param>
+        /// <param name="recipientPrivateKey">The recipient's EC P-256 private key.</param>
+        /// <returns>The decrypted plaintext bytes.</returns>
+        public static byte[] Decrypt(string jweCompact, ECDiffieHellman recipientPrivateKey)
+        {
+            return JWT.DecodeBytes(jweCompact, recipientPrivateKey, JweAlgorithm.ECDH_ES_A256KW, JweEncryption.A256GCM);
+        }
+
+        /// <summary>
+        /// Decrypts a JWE compact serialization using a private key loaded from raw bytes.
+        /// </summary>
+        /// <param name="jweCompact">The JWE compact serialization string to decrypt.</param>
+        /// <param name="recipientPrivateKeyBytes">The recipient's private key as DER-encoded bytes.</param>
+        /// <returns>The decrypted plaintext bytes.</returns>
+        public static byte[] Decrypt(string jweCompact, byte[] recipientPrivateKeyBytes)
+        {
+            using var privateKey = EcKeyHelper.ImportPrivateKeyBytes(recipientPrivateKeyBytes);
+            return Decrypt(jweCompact, privateKey);
+        }
+
+        /// <summary>
+        /// Encrypts a vault key (DEK + MAC concatenated) for a recipient, producing a JWE.
+        /// </summary>
+        /// <param name="dekKey">The 32-byte Data Encryption Key.</param>
+        /// <param name="macKey">The 32-byte Message Authentication Code key.</param>
+        /// <param name="recipientPublicKeyJwk">The recipient's public key as a JWK JSON string.</param>
+        /// <returns>A JWE compact serialization containing the encrypted vault key material.</returns>
+        public static string EncryptVaultKey(ReadOnlySpan<byte> dekKey, ReadOnlySpan<byte> macKey, string recipientPublicKeyJwk)
+        {
+            var combined = new byte[dekKey.Length + macKey.Length];
+            try
+            {
+                dekKey.CopyTo(combined);
+                macKey.CopyTo(combined.AsSpan(dekKey.Length));
+                return Encrypt(combined, recipientPublicKeyJwk);
+            }
+            finally
+            {
+                CryptographicOperations.ZeroMemory(combined);
+            }
+        }
+
+        /// <summary>
+        /// Decrypts a JWE containing a vault key and splits it into DEK and MAC components.
+        /// </summary>
+        /// <param name="jweCompact">The JWE compact serialization containing the encrypted vault key.</param>
+        /// <param name="recipientPrivateKey">The recipient's EC P-256 private key.</param>
+        /// <returns>A tuple of (dekKey, macKey) byte arrays. Caller is responsible for zeroing these when done.</returns>
+        public static (byte[] dekKey, byte[] macKey) DecryptVaultKey(string jweCompact, ECDiffieHellman recipientPrivateKey)
+        {
+            var combined = Decrypt(jweCompact, recipientPrivateKey);
+            try
+            {
+                if (combined.Length != Constants.KeyTraits.DEK_KEY_LENGTH + Constants.KeyTraits.MAC_KEY_LENGTH)
+                    throw new CryptographicException($"Decrypted vault key has unexpected length: {combined.Length}");
+
+                var dekKey = new byte[Constants.KeyTraits.DEK_KEY_LENGTH];
+                var macKey = new byte[Constants.KeyTraits.MAC_KEY_LENGTH];
+
+                combined.AsSpan(0, Constants.KeyTraits.DEK_KEY_LENGTH).CopyTo(dekKey);
+                combined.AsSpan(Constants.KeyTraits.DEK_KEY_LENGTH, Constants.KeyTraits.MAC_KEY_LENGTH).CopyTo(macKey);
+
+                return (dekKey, macKey);
+            }
+            finally
+            {
+                CryptographicOperations.ZeroMemory(combined);
+            }
+        }
+    }
+}
diff --git a/src/Platforms/Directory.Packages.props b/src/Platforms/Directory.Packages.props
index dba561f37..5a5b091b4 100644
--- a/src/Platforms/Directory.Packages.props
+++ b/src/Platforms/Directory.Packages.props
@@ -19,6 +19,8 @@
     <PackageVersion Include="Microsoft.Maui.Essentials" Version="10.0.31" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Console" Version="10.0.5" />
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.4" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Sqlite" Version="10.0.0" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Design" Version="10.0.0" />
     <PackageVersion Include="Microsoft.Windows.Compatibility" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Windows.SDK.BuildTools" Version="10.0.22621.756" />
     <PackageVersion Include="Octokit" Version="14.0.0" />
diff --git a/src/Platforms/SecureFolderFS.UI/ViewModels/Authentication/AppPlatformLoginViewModel.cs b/src/Platforms/SecureFolderFS.UI/ViewModels/Authentication/AppPlatformLoginViewModel.cs
index fee2826bb..469a6426a 100644
--- a/src/Platforms/SecureFolderFS.UI/ViewModels/Authentication/AppPlatformLoginViewModel.cs
+++ b/src/Platforms/SecureFolderFS.UI/ViewModels/Authentication/AppPlatformLoginViewModel.cs
@@ -1,18 +1,35 @@
+#if APP_PLATFORM_PRESENT
 using System;
+using System.Diagnostics;
+using System.Net;
+using System.Net.Sockets;
+using System.Security.Cryptography;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
+using System.Web;
+using OwlCore.Storage;
+using SecureFolderFS.Core.VaultAccess;
 using SecureFolderFS.Sdk.Enums;
 using SecureFolderFS.Sdk.EventArguments;
 using SecureFolderFS.Sdk.ViewModels.Controls.Authentication;
 using SecureFolderFS.Shared.ComponentModel;
+using SecureFolderFS.Shared.Models;
+using SecureFolderFS.Shared.SecureStore;
 
 namespace SecureFolderFS.UI.ViewModels.Authentication
 {
+    /// <summary>
+    /// The system browser authenticates via Keycloak, decrypts the vault key
+    /// client-side, and passes the result to a localhost callback.
+    /// </summary>
     public sealed partial class AppPlatformLoginViewModel : AuthenticationViewModel
     {
+        private readonly IFolder _vaultFolder;
+
         /// <inheritdoc/>
         public override event EventHandler<EventArgs>? StateChanged;
-        
+
         /// <inheritdoc/>
         public override event EventHandler<CredentialsProvidedEventArgs>? CredentialsProvided;
 
@@ -21,10 +38,12 @@ public sealed partial class AppPlatformLoginViewModel : AuthenticationViewModel
 
         /// <inheritdoc/>
         public override AuthenticationStage Availability { get; } = AuthenticationStage.FirstStageOnly;
-        
-        public AppPlatformLoginViewModel()
+
+        public AppPlatformLoginViewModel(IFolder vaultFolder)
             : base(Core.Constants.Vault.Authentication.AUTH_APP_PLATFORM)
         {
+            _vaultFolder = vaultFolder;
+            Title = "App Platform";
         }
 
         /// <inheritdoc/>
@@ -46,9 +65,111 @@ public override Task<IResult<IKeyBytes>> AcquireAsync(string id, byte[]? data, C
         }
 
         /// <inheritdoc/>
-        protected override Task ProvideCredentialsAsync(CancellationToken cancellationToken)
+        protected override async Task ProvideCredentialsAsync(CancellationToken cancellationToken)
+        {
+            var vaultReader = new VaultReader(_vaultFolder, StreamSerializer.Instance);
+            var config = await vaultReader.ReadConfigurationAsync(cancellationToken);
+
+            if (config.AppPlatform is null)
+                throw new InvalidOperationException("Vault is not configured for App Platform.");
+
+            var serverUrl = config.AppPlatform.ServerUrl.TrimEnd('/');
+            var vaultId = config.Uid;
+
+            // Find a free localhost port for the callback
+            var tcpListener = new TcpListener(IPAddress.Loopback, 0);
+            tcpListener.Start();
+            var port = ((IPEndPoint)tcpListener.LocalEndpoint).Port;
+            tcpListener.Stop();
+
+            var callbackUri = $"http://localhost:{port}/";
+
+            // The server renders a page that authenticates via Keycloak, decrypts the
+            // vault key in-browser using the user's private key (Web Crypto / IndexedDB),
+            // and redirects the decrypted key to our callback.
+            var unlockUrl = $"{serverUrl}/app/unlock" +
+                            $"?vault={Uri.EscapeDataString(vaultId)}" +
+                            $"&redirect={Uri.EscapeDataString(callbackUri)}";
+
+            using var httpListener = new HttpListener();
+            httpListener.Prefixes.Add(callbackUri);
+            httpListener.Start();
+
+            try
+            {
+                Process.Start(new ProcessStartInfo(unlockUrl) { UseShellExecute = true });
+
+                var context = await httpListener.GetContextAsync().WaitAsync(cancellationToken);
+
+                // The unlock page POSTs the key in the request body (not the URL)
+                // to avoid leaking decryption keys in browser history / Referer headers.
+                // Error callbacks use GET with ?error= (no sensitive data).
+                byte[] combined;
+                if (context.Request.HttpMethod == "POST")
+                {
+                    using var reader = new System.IO.StreamReader(context.Request.InputStream, context.Request.ContentEncoding);
+                    var body = await reader.ReadToEndAsync(cancellationToken);
+                    var formData = HttpUtility.ParseQueryString(body);
+                    var keyParam = formData.Get("key");
+
+                    if (string.IsNullOrEmpty(keyParam))
+                    {
+                        SendHtmlResponse(context, false, "No key in POST body.");
+                        throw new InvalidOperationException("App Platform unlock failed: no key received.");
+                    }
+
+                    SendHtmlResponse(context, true, null);
+                    combined = Base64UrlDecode(keyParam);
+                }
+                else
+                {
+                    var queryParams = HttpUtility.ParseQueryString(context.Request.Url?.Query ?? string.Empty);
+                    var errorParam = queryParams.Get("error") ?? "Unknown error";
+                    SendHtmlResponse(context, false, errorParam);
+                    throw new InvalidOperationException($"App Platform unlock failed: {errorParam}");
+                }
+                try
+                {
+                    using var key = ManagedKey.TakeOwnership(combined);
+
+                    var tcs = new TaskCompletionSource();
+                    CredentialsProvided?.Invoke(this, new(key, tcs));
+                    await tcs.Task;
+                }
+                finally
+                {
+                    CryptographicOperations.ZeroMemory(combined);
+                }
+            }
+            finally
+            {
+                httpListener.Stop();
+            }
+        }
+
+        private static byte[] Base64UrlDecode(string base64Url)
         {
-            return Task.CompletedTask;
+            var s = base64Url.Replace('-', '+').Replace('_', '/');
+            switch (s.Length % 4)
+            {
+                case 2: s += "=="; break;
+                case 3: s += "="; break;
+            }
+            return Convert.FromBase64String(s);
+        }
+
+        private static void SendHtmlResponse(HttpListenerContext context, bool success, string? errorMessage)
+        {
+            var html = success
+                ? "<html><body><h2>Vault unlocked</h2><p>You can close this window.</p></body></html>"
+                : $"<html><body><h2>Unlock failed</h2><p>{WebUtility.HtmlEncode(errorMessage)}</p></body></html>";
+
+            var buffer = Encoding.UTF8.GetBytes(html);
+            context.Response.ContentLength64 = buffer.Length;
+            context.Response.ContentType = "text/html; charset=utf-8";
+            context.Response.OutputStream.Write(buffer, 0, buffer.Length);
+            context.Response.OutputStream.Close();
         }
     }
 }
+#endif