diff --git a/src/pages/sdk/auth-client/functions/OcSignIn.mdx b/src/pages/sdk/auth-client/functions/OcSignIn.mdx
index 9c7df56..0f6c22c 100644
--- a/src/pages/sdk/auth-client/functions/OcSignIn.mdx
+++ b/src/pages/sdk/auth-client/functions/OcSignIn.mdx
@@ -15,7 +15,7 @@ export const metadata = {
 function OcSignIn(__namedParameters: OcSignInProps): ReactElement;
 ```
 
-Defined in: [signin.tsx:191](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L191)
+Defined in: [signin.tsx:204](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L204)
 
 ## Parameters
 
diff --git a/src/pages/sdk/auth-client/interfaces/OcSignInProps.mdx b/src/pages/sdk/auth-client/interfaces/OcSignInProps.mdx
index 0502b6f..bbb8344 100644
--- a/src/pages/sdk/auth-client/interfaces/OcSignInProps.mdx
+++ b/src/pages/sdk/auth-client/interfaces/OcSignInProps.mdx
@@ -17,15 +17,16 @@ Defined in: [signin.tsx:43](https://github.com/orangecheck/oc-packages/blob/main
 
 | Property | Type | Description | Defined in |
 | ------ | ------ | ------ | ------ |
-| <a id="property-add"></a> `add?` | `boolean` | Multi-account · when `true`, the sign-in is performed in "add" mode: the resulting session is appended to the browser's existing roster instead of replacing it. The previously-active account stays signed in and remains a switch target on the auth host. Off by default (back-compat). The component also reads `?add=1` from the URL search params and treats it the same — so the auth host's `/signin?add=1` entry point Just Works without any extra prop. The `add` flag is forwarded as a body field to the host's `/api/auth/signin` and `/api/auth/email-otp/verify`; if the host hasn't deployed the multi-account migration yet it silently ignores the field and the call falls back to ordinary signin. | [signin.tsx:126](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L126) |
+| <a id="property-add"></a> `add?` | `boolean` | Multi-account · when `true`, the sign-in is performed in "add" mode: the resulting session is appended to the browser's existing roster instead of replacing it. The previously-active account stays signed in and remains a switch target on the auth host. Off by default (back-compat). The component also reads `?add=1` from the URL search params and treats it the same — so the auth host's `/signin?add=1` entry point Just Works without any extra prop. The `add` flag is forwarded as a body field to the host's `/api/auth/signin` and `/api/auth/email-otp/verify`; if the host hasn't deployed the multi-account migration yet it silently ignores the field and the call falls back to ordinary signin. | [signin.tsx:139](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L139) |
 | <a id="property-audience"></a> `audience` | `string` | Consumer-site audience URL passed as `expectedAudience` on the BIP-322 challenge. e.g. `'https://vault.ochk.io'`. Required — the challenge nonce is bound to this audience. | [signin.tsx:49](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L49) |
 | <a id="property-authorigin"></a> `authOrigin?` | `string` | Override the auth host. Defaults to `'https://ochk.io'`. For preview / dev / staging only. | [signin.tsx:89](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L89) |
-| <a id="property-classname"></a> `className?` | `string` | className for the outer container. | [signin.tsx:128](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L128) |
-| <a id="property-initialpath"></a> `initialPath?` | `"wallet"` \| `"email"` | Initial visible tab on mobile. Defaults to `'wallet'`. On desktop both paths render side-by-side and this is ignored. | [signin.tsx:94](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L94) |
-| <a id="property-linkprompt"></a> `linkPrompt?` | `boolean` | Whether to show the "also link my other identity" checkbox on the sign-in form. **On by default.** The checkbox is optional and unchecked by default; it is shown on both the wallet and email paths. If the user ticks it, the complementary identity's link ceremony (BIP-322 for a wallet, OTP for an email) runs inline immediately after a successful sign-in — before `onSuccess` / `returnTo`, so it composes with custom routing — because the sign-in just proved one credential and the link ceremony proves the second. Pass `linkPrompt={false}` to omit the checkbox. | [signin.tsx:111](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L111) |
+| <a id="property-classname"></a> `className?` | `string` | className for the outer container. | [signin.tsx:141](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L141) |
+| <a id="property-initialpath"></a> `initialPath?` | `"wallet"` \| `"email"` | Initial visible tab. Defaults to `'wallet'` — or to `'email'` when [providersFirst](#property-providersfirst) is set and this is left unspecified. | [signin.tsx:94](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L94) |
+| <a id="property-linkprompt"></a> `linkPrompt?` | `boolean` | Whether to show the "also link my other identity" checkbox on the sign-in form. **On by default.** The checkbox is optional and unchecked by default; it is shown on both the wallet and email paths. If the user ticks it, the complementary identity's link ceremony (BIP-322 for a wallet, OTP for an email) runs inline immediately after a successful sign-in — before `onSuccess` / `returnTo`, so it composes with custom routing — because the sign-in just proved one credential and the link ceremony proves the second. Pass `linkPrompt={false}` to omit the checkbox. | [signin.tsx:124](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L124) |
 | <a id="property-onsuccess"></a> `onSuccess?` | (`account`: [`OcAccount`](OcAccount.mdx), `token?`: `string`) => `void` | Override the default hard-navigation behavior. When provided, called with the account and the session JWT. The component will NOT navigate — the caller is responsible. Use for custom post-signin routing — e.g. /popup/signin postMessages `{ account, token }` to its opener so a cross-domain integrator (different eTLD+1 from .ochk.io, which the HttpOnly cookie can't reach) can verify the session via JWKS. | [signin.tsx:71](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L71) |
-| <a id="property-paths"></a> `paths?` | \{ `email?`: `boolean`; `wallet?`: `boolean`; \} | Disable one of the two paths. Default is both enabled. Useful for B2B-only sites that don't want to expose email-OTP. | [signin.tsx:99](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L99) |
-| `paths.email?` | `boolean` | - | [signin.tsx:99](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L99) |
-| `paths.wallet?` | `boolean` | - | [signin.tsx:99](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L99) |
+| <a id="property-paths"></a> `paths?` | \{ `email?`: `boolean`; `wallet?`: `boolean`; \} | Disable one of the two paths. Default is both enabled. Useful for B2B-only sites that don't want to expose email-OTP. | [signin.tsx:112](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L112) |
+| `paths.email?` | `boolean` | - | [signin.tsx:112](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L112) |
+| `paths.wallet?` | `boolean` | - | [signin.tsx:112](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L112) |
+| <a id="property-providersfirst"></a> `providersFirst?` | `boolean` | Re-order the ceremony so the third-party providers (Google / GitHub) render **above** the wallet + email panel, and the email path is the default active tab. **Off by default** — the canonical bitcoin-first ceremony is unchanged for every other consumer. ochk.io's public homepage sets this so a first-time, non-Bitcoiner visitor sees the most familiar on-ramp (Google) first; the BIP-322 wallet path stays one tab away, reframed as the most-sovereign option. Honors family rule #3 — email / OAuth is the easy bridge, the Bitcoin address remains the canonical identity it resolves to. | [signin.tsx:107](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L107) |
 | <a id="property-resolvereturnto"></a> `resolveReturnTo?` | (`account`: [`OcAccount`](OcAccount.mdx)) => `string` \| `Promise`\<`string`\> | Async post-success routing. When provided (and `onSuccess` is not), the component awaits `resolveReturnTo(account)` and hard-navigates to the result instead of the static `returnTo`. This is the seam that lets a site keep persona-aware routing without forking the ceremony — e.g. me.ochk.io resolves `/api/me/intent` and routes to `/me/developer` | `/me/operator` | `/me`. The returned value is open-redirect-checked exactly like `returnTo` (same-origin paths only); on a resolver throw the component falls back to the static `returnTo`. | [signin.tsx:84](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L84) |
 | <a id="property-returnto"></a> `returnTo?` | `string` | Where to navigate after success. Defaults to `'/'`. Open-redirect-safe: a same-origin path (must start with `/`, NOT `//`) or an absolute `https://` URL on `ochk.io` / `*.ochk.io` — the add-another-account flow starts on a consumer subdomain and must round-trip back to it, including through the OAuth provider hop. Anything else is ignored. When omitted, the component reads `?return_to=` (or `?next=`) from the page URL — so the auth host's `/signin?add=1&return_to=…` entry point Just Works, the same way the `add` prop auto-detects `?add=1`. | [signin.tsx:61](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L61) |