Normalize OAuth API key to handle 0x prefixes

Strip 0x prefix from api_key/client_id query params at parse time
and update isValidApiKey to accept prefixed keys, so OAuth consent
works regardless of whether the key includes the prefix.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: rickyrombo

packages/web/src/pages/oauth-login-page/hooks.ts

@@ -75,12 +75,16 @@ const useParsedQueryParams = () => {
 
   const scope = collapseScopes(rawScope)
 
-  const apiKey =
-    typeof api_key === 'string'
-      ? api_key
-      : typeof client_id === 'string'
-        ? client_id
-        : undefined
+  const apiKey = (() => {
+    const raw =
+      typeof api_key === 'string'
+        ? api_key
+        : typeof client_id === 'string'
+          ? client_id
+          : undefined
+    if (raw?.toLowerCase().startsWith('0x')) return raw.slice(2)
+    return raw
+  })()
 
   const parsedRedirectUri = useMemo<'postmessage' | URL | null>(() => {
     if (redirectUri && typeof redirectUri === 'string') {

packages/web/src/pages/oauth-login-page/utils.ts

@@ -41,11 +41,12 @@ export const getIsRedirectValid = ({
 
 export const isValidApiKey = (key: string | string[]) => {
   if (Array.isArray(key)) return false
-  if (key.length !== 40) {
+  const normalized = key.toLowerCase().startsWith('0x') ? key.slice(2) : key
+  if (normalized.length !== 40) {
     return false
   }
   const hexadecimalRegex = /^[0-9a-fA-F]+$/
-  return hexadecimalRegex.test(key)
+  return hexadecimalRegex.test(normalized)
 }
 
 const getFormattedAppAddress = ({