mcdax
diff --git a/‎README.md‎
Lines changed: 160 additions & 1 deletion b/‎README.md‎
Lines changed: 160 additions & 1 deletion
diff --git a/‎comdirect_api.feature‎
Lines changed: 98 additions & 0 deletions b/‎comdirect_api.feature‎
Lines changed: 98 additions & 0 deletions
@@ -46,6 +46,7 @@ This client implements the official Comdirect REST API:
   - [On-Demand Token Refresh](#on-demand-token-refresh)
   - [Reauth Callback](#reauth-callback)
   - [Token Lifecycle](#token-lifecycle)
+- [Persistent Client Usage](#persistent-client-usage)
 - [Data Models](#data-models)
 - [Error Handling](#error-handling)
 - [Logging](#logging)
@@ -302,7 +303,7 @@ async def main():
     ) as client:
 
         # Authenticate (triggers Push-TAN on your smartphone)
-        print("Authenticating... Please approve Push-TAN on your device")
+        print("Authenticating...")
         await client.authenticate()
         print("✓ Authenticated!")
 
@@ -1004,6 +1005,164 @@ Tokens expire every ~10 minutes (599s). The client automatically refreshes 120 s
 
 ---
 
+## Persistent Client Usage
+
+**The ComdirectClient should be kept alive (persistent) throughout your application's lifecycle for best functionality.**
+
+### Why Keep the Client Alive?
+
+The client has a **background token refresh task** that automatically refreshes tokens 120 seconds before they expire. This task runs as an asyncio background coroutine and is critical for maintaining uninterrupted access to the Comdirect API.
+
+**If the client instance is destroyed:**
+
+- The background refresh task is cancelled
+- Tokens will expire after ~10 minutes (599 seconds)
+- A new TAN approval will be required for your next session
+- This defeats the purpose of automatic token refresh
+
+### Best Practice: Create Once, Reuse Everywhere
+
+```python
+import asyncio
+from comdirect_client.client import ComdirectClient
+
+# Global client instance - created once at application startup
+client: ComdirectClient | None = None
+
+async def init_client():
+    """Initialize the client once at startup."""
+    global client
+    client = ComdirectClient(
+        client_id="your_client_id",
+        client_secret="your_client_secret",
+        username="your_username",
+        password="your_password",
+        token_storage_path="/path/to/tokens.json",  # Persist across restarts
+    )
+    
+    # Authenticate once - requires TAN approval
+    await client.authenticate()
+    print("Client authenticated and ready!")
+    
+    # The background refresh task is now running automatically
+    # Tokens will be refreshed 120s before expiry
+
+async def get_balances():
+    """Use the persistent client for API calls."""
+    if not client:
+        raise RuntimeError("Client not initialized")
+    return await client.get_account_balances()
+
+async def get_transactions(account_id: str):
+    """Another API call using the same client instance."""
+    if not client:
+        raise RuntimeError("Client not initialized")
+    return await client.get_transactions(account_id)
+
+async def shutdown():
+    """Clean up when application shuts down."""
+    if client:
+        await client.close()
+```
+
+### What Happens with Token Storage?
+
+When you configure `token_storage_path`:
+
+1. **First run**: Authenticate with TAN, tokens are saved to disk
+2. **Subsequent runs**: Tokens are loaded from disk on client creation
+3. **Background refresh starts automatically** when valid tokens are loaded
+4. **No new TAN approval needed** as long as tokens haven't expired
+
+```python
+# Application startup
+client = ComdirectClient(
+    ...,
+    token_storage_path="/path/to/tokens.json",
+)
+
+# If valid tokens exist in storage:
+# - Tokens are automatically loaded
+# - Refresh task starts immediately
+# - No authenticate() call needed!
+
+if client.is_authenticated():
+    print("Tokens restored from storage - ready to use!")
+    balances = await client.get_account_balances()
+else:
+    print("No valid tokens - TAN approval required")
+    await client.authenticate()
+```
+
+### Anti-Pattern: Creating New Client Per Request
+
+**Do NOT do this** - it defeats the purpose of automatic token refresh:
+
+```python
+# BAD: Client is destroyed after each request
+async def get_balance_bad():
+    async with ComdirectClient(...) as client:
+        await client.authenticate()  # TAN approval needed
+        return await client.get_account_balances()
+    # Client destroyed here! Refresh task cancelled!
+
+# After ~10 minutes, calling get_balance_bad() again requires new TAN approval
+```
+
+### Framework Integration Examples
+
+**FastAPI / Starlette:**
+
+```python
+from fastapi import FastAPI
+from contextlib import asynccontextmanager
+from comdirect_client.client import ComdirectClient
+
+client: ComdirectClient | None = None
+
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+    global client
+    client = ComdirectClient(
+        ...,
+        token_storage_path="/app/data/tokens.json",
+    )
+    if not client.is_authenticated():
+        await client.authenticate()
+    yield
+    await client.close()
+
+app = FastAPI(lifespan=lifespan)
+
+@app.get("/balances")
+async def get_balances():
+    return await client.get_account_balances()
+```
+
+**Long-running Service:**
+
+```python
+async def main():
+    client = ComdirectClient(
+        ...,
+        token_storage_path="tokens.json",
+        reauth_callback=lambda reason: print(f"Reauth needed: {reason}"),
+    )
+    
+    if not client.is_authenticated():
+        await client.authenticate()
+    
+    # Run indefinitely - tokens refresh automatically
+    while True:
+        balances = await client.get_account_balances()
+        print(f"Current balance: {balances[0].balance.value}")
+        await asyncio.sleep(3600)  # Check every hour
+
+asyncio.run(main())
+```
+
+---
+
 ## Data Models
 
 All API responses are parsed into type-safe dataclasses defined in `comdirect_client.models`:
 
@@ -416,6 +416,104 @@ Feature: Comdirect API Client Library
     And the library should provide method get_token_expiry() returning Optional[datetime]
     And all async methods should be properly typed with return types
 
+  # ============================================================================
+  # Persistent Client Usage (Architecture)
+  # ============================================================================
+
+  Scenario: Client should be kept alive for background token refresh
+    Given the library is initialized with token_storage_path
+    When the user completes authentication successfully
+    Then the client should start a background asyncio refresh task
+    And the background task should refresh tokens 120 seconds before expiry
+    And the user should NOT destroy the client after each operation
+    And the library should log "INFO: Token refresh task started"
+    And consecutive API calls should reuse the same client instance
+    And tokens should auto-refresh without user intervention
+
+  Scenario: Destroying client cancels background refresh
+    Given the user has an authenticated client with running refresh task
+    When the user calls client.close() or destroys the client
+    Then the background refresh task should be cancelled
+    And the library should log "INFO: Token refresh task cancelled"
+    And tokens will expire after ~10 minutes without refresh
+    And subsequent operations will require new TAN approval
+
+  Scenario: Token storage enables session recovery across restarts
+    Given the library is initialized with token_storage_path="/path/to/tokens.json"
+    And a previous session saved valid tokens to storage
+    When a new client instance is created
+    Then the library should automatically load tokens from storage
+    And the library should log "INFO: Tokens restored from storage (expires: ...)"
+    And the background refresh task should start automatically
+    And no TAN approval should be required if tokens are still valid
+
+  # ============================================================================
+  # Timezone-Aware Token Expiry (UTC)
+  # ============================================================================
+
+  Scenario: Token expiry is stored with UTC timezone
+    Given the library refreshes or obtains new tokens
+    When the token expiry is calculated from expires_in
+    Then the expiry datetime should be timezone-aware (UTC)
+    And the library should use datetime.now(timezone.utc) for current time
+    And token storage should persist expiry with timezone info (+00:00)
+
+  Scenario: Token expiry comparison uses UTC timezone
+    Given the library has stored tokens with timezone-aware expiry
+    When the library checks if tokens are expired
+    Then the comparison should use datetime.now(timezone.utc)
+    And tokens stored in local time zones should be handled correctly
+    And the library should not be affected by container timezone settings
+
+  Scenario: Loading legacy tokens without timezone assumes UTC
+    Given the library loads tokens from storage
+    And the stored token_expiry has no timezone info (naive datetime)
+    When the library parses the token_expiry
+    Then the library should assume the datetime is in UTC
+    And the library should add UTC timezone info to the datetime
+    And token expiry comparisons should work correctly
+
+  # ============================================================================
+  # TAN Status Callback
+  # ============================================================================
+
+  Scenario: Register TAN status callback for real-time monitoring
+    Given the library is initialized
+    When the user registers a TAN status callback function via register_tan_status_callback()
+    Then the callback should be stored internally
+    And the callback should receive (status, data) parameters
+    And status values should be: 'requested', 'pending', 'approved', 'timeout'
+
+  Scenario: TAN status callback invoked when TAN is requested
+    Given a TAN status callback is registered
+    When the library creates a TAN challenge (Step 3)
+    Then the callback should be invoked with status='requested'
+    And data should contain: tan_type, challenge_id, timeout_seconds
+    And the library should log the TAN challenge creation
+
+  Scenario: TAN status callback invoked during polling
+    Given a TAN status callback is registered
+    And the library is polling for TAN approval
+    When the TAN status is still PENDING
+    Then the callback should be invoked with status='pending' every 10 seconds
+    And data should contain: tan_type, timeout_seconds, elapsed_seconds, remaining_seconds
+
+  Scenario: TAN status callback invoked on approval
+    Given a TAN status callback is registered
+    And the library is polling for TAN approval
+    When the TAN is approved by the user
+    Then the callback should be invoked with status='approved'
+    And data should contain: tan_type, elapsed_seconds
+    And the library should proceed with session activation
+
+  Scenario: TAN status callback invoked on timeout
+    Given a TAN status callback is registered
+    And the library is polling for TAN approval
+    When 60 seconds elapse without TAN approval
+    Then the callback should be invoked with status='timeout'
+    And data should contain: tan_type, timeout_seconds
+    And the library should raise TANTimeoutError
+
   # ============================================================================
   # Integration Scenarios
   # ============================================================================