npm - @openid4vc/oauth2 - Versions diffs - 0.2.1-alpha-20250130103023 → 0.3.0-alpha-20250202020720 - Mend

@openid4vc/oauth2 0.2.1-alpha-20250130103023 → 0.3.0-alpha-20250202020720

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.mjs CHANGED Viewed

@@ -1,8 +1,8 @@
 // src/index.ts
 import { getGlobalConfig, setGlobalConfig } from "@openid4vc/utils";
-// src/common/v-oauth2-error.ts
-import * as v from "valibot";
+// src/common/z-oauth2-error.ts
+import z from "zod";
 var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes2) => {
   Oauth2ErrorCodes2["ServerError"] = "server_error";
   Oauth2ErrorCodes2["InvalidTarget"] = "invalid_target";
@@ -28,52 +28,54 @@ var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes2) => {
   Oauth2ErrorCodes2["InvalidEncryptionParameters"] = "invalid_encryption_parameters";
   return Oauth2ErrorCodes2;
 })(Oauth2ErrorCodes || {});
-var vOauth2ErrorResponse = v.looseObject({
-  error: v.union([v.enum(Oauth2ErrorCodes), v.string()]),
-  error_description: v.optional(v.string()),
-  error_uri: v.optional(v.string())
-});
+var zOauth2ErrorResponse = z.object({
+  error: z.union([z.nativeEnum(Oauth2ErrorCodes), z.string()]),
+  error_description: z.string().optional(),
+  error_uri: z.string().optional()
+}).passthrough();
 // src/common/jwk/jwk-thumbprint.ts
-import * as v2 from "valibot";
 import { decodeUtf8String, encodeToBase64Url, parseWithErrorHandling } from "@openid4vc/utils";
-var vJwkThumbprintComponents = v2.variant("kty", [
-  v2.pipe(
-    v2.looseObject({
-      kty: v2.literal("EC"),
-      crv: v2.string(),
-      x: v2.string(),
-      y: v2.string()
-    }),
-    v2.transform(({ crv, kty, x, y }) => ({ crv, kty, x, y }))
-  ),
-  v2.pipe(
-    v2.looseObject({
-      kty: v2.literal("OKP"),
-      crv: v2.string(),
-      x: v2.string()
-    }),
-    v2.transform(({ crv, kty, x }) => ({ crv, kty, x }))
-  ),
-  v2.pipe(
-    v2.looseObject({
-      kty: v2.literal("RSA"),
-      e: v2.string(),
-      n: v2.string()
-    }),
-    v2.transform(({ e, kty, n }) => ({ e, kty, n }))
-  ),
-  v2.pipe(
-    v2.looseObject({
-      kty: v2.literal("oct"),
-      k: v2.string()
-    }),
-    v2.transform(({ k, kty }) => ({ k, kty }))
-  )
-]);
+import z2 from "zod";
+var zJwkThumbprintComponents = z2.discriminatedUnion("kty", [
+  z2.object({
+    kty: z2.literal("EC"),
+    crv: z2.string(),
+    x: z2.string(),
+    y: z2.string()
+  }),
+  z2.object({
+    kty: z2.literal("OKP"),
+    crv: z2.string(),
+    x: z2.string()
+  }),
+  z2.object({
+    kty: z2.literal("RSA"),
+    e: z2.string(),
+    n: z2.string()
+  }),
+  z2.object({
+    kty: z2.literal("oct"),
+    k: z2.string()
+  })
+]).transform((data) => {
+  if (data.kty === "EC") {
+    return { crv: data.crv, kty: data.kty, x: data.x, y: data.y };
+  }
+  if (data.kty === "OKP") {
+    return { crv: data.crv, kty: data.kty, x: data.x };
+  }
+  if (data.kty === "RSA") {
+    return { e: data.e, kty: data.kty, n: data.n };
+  }
+  if (data.kty === "oct") {
+    return { k: data.k, kty: data.kty };
+  }
+  throw new Error("Unsupported kty");
+});
 async function calculateJwkThumbprint(options) {
   const jwkThumbprintComponents = parseWithErrorHandling(
-    vJwkThumbprintComponents,
+    zJwkThumbprintComponents,
     options.jwk,
     `Provided jwk does not match a supported jwk structure. Either the 'kty' is not supported, or required values are missing.`
   );
@@ -134,44 +136,42 @@ async function isJwkInSet({
   return false;
 }
-// src/common/jwk/v-jwk.ts
-import * as v3 from "valibot";
-var vJwk = v3.looseObject({
-  kty: v3.string(),
-  crv: v3.optional(v3.string()),
-  x: v3.optional(v3.string()),
-  y: v3.optional(v3.string()),
-  e: v3.optional(v3.string()),
-  n: v3.optional(v3.string()),
-  alg: v3.optional(v3.string()),
-  d: v3.optional(v3.string()),
-  dp: v3.optional(v3.string()),
-  dq: v3.optional(v3.string()),
-  ext: v3.optional(v3.boolean()),
-  k: v3.optional(v3.string()),
-  key_ops: v3.optional(v3.string()),
-  kid: v3.optional(v3.string()),
-  oth: v3.optional(
-    v3.array(
-      v3.looseObject({
-        d: v3.optional(v3.string()),
-        r: v3.optional(v3.string()),
-        t: v3.optional(v3.string())
-      })
+// src/common/jwk/z-jwk.ts
+import z3 from "zod";
+var zJwk = z3.object({
+  kty: z3.string(),
+  crv: z3.optional(z3.string()),
+  x: z3.optional(z3.string()),
+  y: z3.optional(z3.string()),
+  e: z3.optional(z3.string()),
+  n: z3.optional(z3.string()),
+  alg: z3.optional(z3.string()),
+  d: z3.optional(z3.string()),
+  dp: z3.optional(z3.string()),
+  dq: z3.optional(z3.string()),
+  ext: z3.optional(z3.boolean()),
+  k: z3.optional(z3.string()),
+  key_ops: z3.optional(z3.string()),
+  kid: z3.optional(z3.string()),
+  oth: z3.optional(
+    z3.array(
+      z3.object({
+        d: z3.optional(z3.string()),
+        r: z3.optional(z3.string()),
+        t: z3.optional(z3.string())
+      }).passthrough()
     )
   ),
-  p: v3.optional(v3.string()),
-  q: v3.optional(v3.string()),
-  qi: v3.optional(v3.string()),
-  use: v3.optional(v3.string()),
-  x5c: v3.optional(v3.string()),
-  x5t: v3.optional(v3.string()),
-  "x5t#S256": v3.optional(v3.string()),
-  x5u: v3.optional(v3.string())
-});
-var vJwkSet = v3.looseObject({
-  keys: v3.array(vJwk)
-});
+  p: z3.optional(z3.string()),
+  q: z3.optional(z3.string()),
+  qi: z3.optional(z3.string()),
+  use: z3.optional(z3.string()),
+  x5c: z3.optional(z3.string()),
+  x5t: z3.optional(z3.string()),
+  "x5t#S256": z3.optional(z3.string()),
+  x5u: z3.optional(z3.string())
+}).passthrough();
+var zJwkSet = z3.object({ keys: z3.array(zJwk) }).passthrough();
 // src/common/jwt/verify-jwt.ts
 import { dateToSeconds } from "@openid4vc/utils";
@@ -245,47 +245,43 @@ var Oauth2JwtParseError = class extends Oauth2Error {
   }
 };
-// src/common/jwt/v-jwt.ts
-import { vInteger } from "@openid4vc/utils";
-import * as v5 from "valibot";
+// src/common/jwt/z-jwt.ts
+import { zInteger } from "@openid4vc/utils";
+import z5 from "zod";
-// src/common/v-common.ts
-import * as v4 from "valibot";
-var vAlgValueNotNone = v4.pipe(
-  v4.string(),
-  v4.check((alg) => alg !== "none", `alg value may not be 'none'`)
-);
+// src/common/z-common.ts
+import z4 from "zod";
+var zAlgValueNotNone = z4.string().refine((alg) => alg !== "none", { message: `alg value may not be 'none'` });
-// src/common/jwt/v-jwt.ts
-var vCompactJwt = v5.pipe(
-  v5.string(),
-  v5.regex(/^([a-zA-Z0-9_=]+)\.([a-zA-Z0-9_=]+)\.([a-zA-Z0-9_\-\+\/=]*)$/, "Not a valid compact jwt")
-);
-var vJwtConfirmationPayload = v5.looseObject({
-  jwk: v5.optional(vJwk),
-  // RFC9449. jwk thumbprint of the dpop public key to which the access token is bound
-  jkt: v5.optional(v5.string())
+// src/common/jwt/z-jwt.ts
+var zCompactJwt = z5.string().regex(/^([a-zA-Z0-9_=]+)\.([a-zA-Z0-9_=]+)\.([a-zA-Z0-9_\-\+\/=]*)$/, {
+  message: "Not a valid compact jwt"
 });
-var vJwtPayload = v5.looseObject({
-  iss: v5.optional(v5.string()),
-  aud: v5.optional(v5.string()),
-  iat: v5.optional(vInteger),
-  exp: v5.optional(vInteger),
-  nbf: v5.optional(vInteger),
-  nonce: v5.optional(v5.string()),
-  jti: v5.optional(v5.string()),
-  cnf: v5.optional(vJwtConfirmationPayload),
+var zJwtConfirmationPayload = z5.object({
+  jwk: zJwk.optional(),
+  // RFC9449. jwk thumbprint of the dpop public key to which the access token is bound
+  jkt: z5.string().optional()
+}).passthrough();
+var zJwtPayload = z5.object({
+  iss: z5.string().optional(),
+  aud: z5.string().optional(),
+  iat: zInteger.optional(),
+  exp: zInteger.optional(),
+  nbf: zInteger.optional(),
+  nonce: z5.string().optional(),
+  jti: z5.string().optional(),
+  cnf: zJwtConfirmationPayload.optional(),
   // Reserved for status parameters
-  status: v5.optional(v5.looseObject({}))
-});
-var vJwtHeader = v5.looseObject({
-  alg: vAlgValueNotNone,
-  typ: v5.optional(v5.string()),
-  kid: v5.optional(v5.string()),
-  jwk: v5.optional(vJwk),
-  x5c: v5.optional(v5.array(v5.string())),
-  trust_chain: v5.optional(v5.array(v5.string()))
-});
+  status: z5.record(z5.string(), z5.any()).optional()
+}).passthrough();
+var zJwtHeader = z5.object({
+  alg: zAlgValueNotNone,
+  typ: z5.string().optional(),
+  kid: z5.string().optional(),
+  jwk: zJwk.optional(),
+  x5c: z5.array(z5.string()).optional(),
+  trust_chain: z5.array(z5.string()).optional()
+}).passthrough();
 // src/common/jwt/decode-jwt.ts
 function decodeJwt(options) {
@@ -307,8 +303,8 @@ function decodeJwt(options) {
   } catch (error) {
     throw new Oauth2JwtParseError("Error parsing JWT");
   }
-  const header = parseWithErrorHandling2(options.headerSchema ?? vJwtHeader, headerJson);
-  const payload = parseWithErrorHandling2(options.payloadSchema ?? vJwtPayload, payloadJson);
+  const header = parseWithErrorHandling2(options.headerSchema ?? zJwtHeader, headerJson);
+  const payload = parseWithErrorHandling2(options.payloadSchema ?? zJwtPayload, payloadJson);
   return {
     header,
     payload,
@@ -470,101 +466,133 @@ ${JSON.stringify(errorResponse, null, 2)}`,
   }
 };
-// src/metadata/authorization-server/v-authorization-server-metadata.ts
-import { vHttpsUrl } from "@openid4vc/utils";
-import * as v6 from "valibot";
-var vAuthorizationServerMetadata = v6.pipe(
-  v6.looseObject({
-    issuer: vHttpsUrl,
-    token_endpoint: vHttpsUrl,
-    token_endpoint_auth_methods_supported: v6.optional(v6.array(v6.string())),
-    authorization_endpoint: v6.optional(vHttpsUrl),
-    jwks_uri: v6.optional(vHttpsUrl),
-    // RFC7636
-    code_challenge_methods_supported: v6.optional(v6.array(v6.string())),
-    // RFC9449
-    dpop_signing_alg_values_supported: v6.optional(v6.array(v6.string())),
-    // RFC9126
-    require_pushed_authorization_requests: v6.optional(v6.boolean()),
-    pushed_authorization_request_endpoint: v6.optional(vHttpsUrl),
-    // RFC9068
-    introspection_endpoint: v6.optional(vHttpsUrl),
-    introspection_endpoint_auth_methods_supported: v6.optional(
-      v6.array(v6.union([v6.literal("client_secret_jwt"), v6.literal("private_key_jwt"), v6.string()]))
-    ),
-    introspection_endpoint_auth_signing_alg_values_supported: v6.optional(v6.array(vAlgValueNotNone)),
-    // FiPA (no RFC yet)
-    authorization_challenge_endpoint: v6.optional(vHttpsUrl),
-    // From OID4VCI specification
-    "pre-authorized_grant_anonymous_access_supported": v6.optional(v6.boolean())
-  }),
-  v6.check(
-    ({
-      introspection_endpoint_auth_methods_supported: methodsSupported,
-      introspection_endpoint_auth_signing_alg_values_supported: algValuesSupported
-    }) => {
-      if (!methodsSupported) return true;
-      if (!methodsSupported.includes("private_key_jwt") && !methodsSupported.includes("client_secret_jwt")) return true;
-      return algValuesSupported !== void 0 && algValuesSupported.length > 0;
-    },
-    `Metadata value 'introspection_endpoint_auth_signing_alg_values_supported' must be defined if metadata 'introspection_endpoint_auth_methods_supported' value contains values 'private_key_jwt' or 'client_secret_jwt'`
-  )
+// src/metadata/authorization-server/z-authorization-server-metadata.ts
+import { zHttpsUrl } from "@openid4vc/utils";
+import z6 from "zod";
+var zAuthorizationServerMetadata = z6.object({
+  issuer: zHttpsUrl,
+  token_endpoint: zHttpsUrl,
+  token_endpoint_auth_methods_supported: z6.optional(z6.array(z6.string())),
+  authorization_endpoint: z6.optional(zHttpsUrl),
+  jwks_uri: z6.optional(zHttpsUrl),
+  // RFC7636
+  code_challenge_methods_supported: z6.optional(z6.array(z6.string())),
+  // RFC9449
+  dpop_signing_alg_values_supported: z6.optional(z6.array(z6.string())),
+  // RFC9126
+  require_pushed_authorization_requests: z6.optional(z6.boolean()),
+  pushed_authorization_request_endpoint: z6.optional(zHttpsUrl),
+  // RFC9068
+  introspection_endpoint: z6.optional(zHttpsUrl),
+  introspection_endpoint_auth_methods_supported: z6.optional(
+    z6.array(z6.union([z6.literal("client_secret_jwt"), z6.literal("private_key_jwt"), z6.string()]))
+  ),
+  introspection_endpoint_auth_signing_alg_values_supported: z6.optional(z6.array(zAlgValueNotNone)),
+  // FiPA (no RFC yet)
+  authorization_challenge_endpoint: z6.optional(zHttpsUrl),
+  // From OID4VCI specification
+  pre_authorized_grant_anonymous_access_supported: z6.optional(z6.boolean())
+}).passthrough().refine(
+  ({
+    introspection_endpoint_auth_methods_supported: methodsSupported,
+    introspection_endpoint_auth_signing_alg_values_supported: algValuesSupported
+  }) => {
+    if (!methodsSupported) return true;
+    if (!methodsSupported.includes("private_key_jwt") && !methodsSupported.includes("client_secret_jwt")) return true;
+    return algValuesSupported !== void 0 && algValuesSupported.length > 0;
+  },
+  `Metadata value 'introspection_endpoint_auth_signing_alg_values_supported' must be defined if metadata 'introspection_endpoint_auth_methods_supported' value contains values 'private_key_jwt' or 'client_secret_jwt'`
 );
 // src/metadata/authorization-server/authorization-server-metadata.ts
 import { joinUriParts } from "@openid4vc/utils";
 // src/metadata/fetch-well-known-metadata.ts
-import { ContentType, createValibotFetcher } from "@openid4vc/utils";
+import { ContentType, createZodFetcher } from "@openid4vc/utils";
 import { InvalidFetchResponseError } from "@openid4vc/utils";
-// ../utils/src/parse.ts
-import * as v7 from "valibot";
-// ../utils/src/object.ts
-function isObject(item) {
-  return item != null && typeof item === "object" && !Array.isArray(item);
-}
-function mergeDeep(target, ...sources) {
-  if (!sources.length) return target;
-  const source = sources.shift();
-  if (isObject(target) && isObject(source)) {
-    for (const key in source) {
-      if (isObject(source[key])) {
-        if (!target[key]) Object.assign(target, { [key]: {} });
-        mergeDeep(target[key], source[key]);
-      } else {
-        Object.assign(target, { [key]: source[key] });
+// ../utils/src/error/ValidationError.ts
+import { ZodIssueCode } from "zod";
+var constants = {
+  // biome-ignore lint/suspicious/noMisleadingCharacterClass: expected
+  identifierRegex: /[$_\p{ID_Start}][$\u200c\u200d\p{ID_Continue}]*/u,
+  unionSeparator: ", or ",
+  issueSeparator: "\n	- "
+};
+var ValidationError = class extends Error {
+  escapeQuotes(str) {
+    return str.replace(/"/g, '\\"');
+  }
+  joinPath(path) {
+    if (path.length === 1) {
+      return path[0].toString();
+    }
+    return path.reduce((acc, item) => {
+      if (typeof item === "number") {
+        return `${acc}[${item.toString()}]`;
+      }
+      if (item.includes('"')) {
+        return `${acc}["${this.escapeQuotes(item)}"]`;
       }
+      if (!constants.identifierRegex.test(item)) {
+        return `${acc}["${item}"]`;
+      }
+      const separator = acc.length === 0 ? "" : ".";
+      return acc + separator + item;
+    }, "");
+  }
+  getMessageFromUnionErrors(unionErrors) {
+    return unionErrors.reduce((acc, zodError) => {
+      const newIssues = zodError.issues.map((issue) => this.getMessageFromZodIssue(issue)).join(constants.issueSeparator);
+      if (!acc.includes(newIssues)) acc.push(newIssues);
+      return acc;
+    }, []).join(constants.unionSeparator);
+  }
+  getMessageFromZodIssue(issue) {
+    if (issue.code === ZodIssueCode.invalid_union) {
+      return this.getMessageFromUnionErrors(issue.unionErrors);
     }
-  }
-  return mergeDeep(target, ...sources);
-}
-// ../utils/src/parse.ts
-function valibotRecursiveFlattenIssues(issues) {
-  let flattened = v7.flatten(issues);
-  for (const issue of issues) {
-    if (issue.issues) {
-      flattened = mergeDeep(flattened, valibotRecursiveFlattenIssues(issue.issues));
+    if (issue.code === ZodIssueCode.invalid_arguments) {
+      return [issue.message, ...issue.argumentsError.issues.map((issue2) => this.getMessageFromZodIssue(issue2))].join(
+        constants.issueSeparator
+      );
     }
-  }
-  return flattened;
-}
-// ../utils/src/error/ValidationError.ts
-var ValidationError = class extends Error {
-  constructor(message, valibotIssues = []) {
-    const errorDetails = valibotIssues.length > 0 ? JSON.stringify(valibotRecursiveFlattenIssues(valibotIssues), null, 2) : "No details provided";
-    super(`${message}
-${errorDetails}`);
-    this.valibotIssues = valibotIssues;
+    if (issue.code === ZodIssueCode.invalid_return_type) {
+      return [issue.message, ...issue.returnTypeError.issues.map((issue2) => this.getMessageFromZodIssue(issue2))].join(
+        constants.issueSeparator
+      );
+    }
+    if (issue.path.length !== 0) {
+      if (issue.path.length === 1) {
+        const identifier = issue.path[0];
+        if (typeof identifier === "number") {
+          return `${issue.message} at index ${identifier}`;
+        }
+      }
+      return `${issue.message} at "${this.joinPath(issue.path)}"`;
+    }
+    return issue.message;
+  }
+  formatError(error) {
+    if (!error) return "";
+    return error?.issues.map((issue) => this.getMessageFromZodIssue(issue)).join(constants.issueSeparator);
+  }
+  constructor(message, zodError) {
+    super(message);
+    const formattedError = this.formatError(zodError);
+    this.message = `${message}
+	- ${formattedError}`;
+    Object.defineProperty(this, "zodError", {
+      value: zodError,
+      writable: false,
+      enumerable: false
+    });
   }
 };
 // src/metadata/fetch-well-known-metadata.ts
 async function fetchWellKnownMetadata(wellKnownMetadataUrl, schema, fetch) {
-  const fetcher = createValibotFetcher(fetch);
+  const fetcher = createZodFetcher(fetch);
   const { result, response } = await fetcher(schema, ContentType.Json, wellKnownMetadataUrl);
   if (response.status === 404) {
     return null;
@@ -576,10 +604,10 @@ async function fetchWellKnownMetadata(wellKnownMetadataUrl, schema, fetch) {
       response
     );
   }
-  if (!result || !result.success) {
-    throw new ValidationError(`Validation of metadata from '${wellKnownMetadataUrl}' failed`, result?.issues);
+  if (!result?.success) {
+    throw new ValidationError(`Validation of metadata from '${wellKnownMetadataUrl}' failed`, result?.error);
   }
-  return result.output;
+  return result.data;
 }
 // src/metadata/authorization-server/authorization-server-metadata.ts
@@ -590,7 +618,7 @@ async function fetchAuthorizationServerMetadata(issuer, fetch) {
   const authorizationServerWellKnownMetadataUrl = joinUriParts(issuer, [wellKnownAuthorizationServerSuffix]);
   const authorizationServerResult = await fetchWellKnownMetadata(
     authorizationServerWellKnownMetadataUrl,
-    vAuthorizationServerMetadata,
+    zAuthorizationServerMetadata,
     fetch
   );
   if (authorizationServerResult) {
@@ -603,7 +631,7 @@ async function fetchAuthorizationServerMetadata(issuer, fetch) {
   }
   const openIdConfigurationResult = await fetchWellKnownMetadata(
     openIdConfigurationWellKnownMetadataUrl,
-    vAuthorizationServerMetadata,
+    zAuthorizationServerMetadata,
     fetch
   );
   if (openIdConfigurationResult) {
@@ -629,17 +657,17 @@ function getAuthorizationServerMetadataFromList(authorizationServersMetadata, is
 }
 // src/metadata/fetch-jwks-uri.ts
-import { ContentType as ContentType2, createValibotFetcher as createValibotFetcher2 } from "@openid4vc/utils";
+import { ContentType as ContentType2, createZodFetcher as createZodFetcher2 } from "@openid4vc/utils";
 import { InvalidFetchResponseError as InvalidFetchResponseError2 } from "@openid4vc/utils";
 async function fetchJwks(authorizationServer, fetch) {
-  const fetcher = createValibotFetcher2(fetch);
+  const fetcher = createZodFetcher2(fetch);
   const jwksUrl = authorizationServer.jwks_uri;
   if (!jwksUrl) {
     throw new Oauth2Error(
       `Authorization server '${authorizationServer.issuer}' does not have a 'jwks_uri' parameter to fetch JWKs.`
     );
   }
-  const { result, response } = await fetcher(vJwkSet, ContentType2.JwkSet, jwksUrl);
+  const { result, response } = await fetcher(zJwkSet, ContentType2.JwkSet, jwksUrl);
   if (!response.ok) {
     throw new InvalidFetchResponseError2(
       `Fetching JWKs from jwks_uri '${jwksUrl}' resulted in an unsuccessfull response with status code '${response.status}'.`,
@@ -647,32 +675,32 @@ async function fetchJwks(authorizationServer, fetch) {
       response
     );
   }
-  if (!result || !result.success) {
-    throw new ValidationError(`Validation of JWKs from jwks_uri '${jwksUrl}' failed`, result?.issues);
+  if (!result?.success) {
+    throw new ValidationError(`Validation of JWKs from jwks_uri '${jwksUrl}' failed`, result?.error);
   }
-  return result.output;
+  return result.data;
 }
-// src/access-token/v-access-token-jwt.ts
-import { vInteger as vInteger2 } from "@openid4vc/utils";
-import * as v8 from "valibot";
-var vAccessTokenProfileJwtHeader = v8.looseObject({
-  ...vJwtHeader.entries,
-  typ: v8.picklist(["application/at+jwt", "at+jwt"])
-});
-var vAccessTokenProfileJwtPayload = v8.looseObject({
-  ...vJwtPayload.entries,
-  iss: v8.string(),
-  exp: vInteger2,
-  iat: vInteger2,
-  aud: v8.string(),
-  sub: v8.string(),
+// src/access-token/z-access-token-jwt.ts
+import { zInteger as zInteger2 } from "@openid4vc/utils";
+import z7 from "zod";
+var zAccessTokenProfileJwtHeader = z7.object({
+  ...zJwtHeader.shape,
+  typ: z7.enum(["application/at+jwt", "at+jwt"])
+}).passthrough();
+var zAccessTokenProfileJwtPayload = z7.object({
+  ...zJwtPayload.shape,
+  iss: z7.string(),
+  exp: zInteger2,
+  iat: zInteger2,
+  aud: z7.string(),
+  sub: z7.string(),
   // REQUIRED according to RFC 9068, but OID4VCI allows anonymous access
-  client_id: v8.optional(v8.string()),
-  jti: v8.string(),
+  client_id: z7.optional(z7.string()),
+  jti: z7.string(),
   // SHOULD be included in the authorization request contained it
-  scope: v8.optional(v8.string())
-});
+  scope: z7.optional(z7.string())
+}).passthrough();
 // src/access-token/verify-access-token.ts
 var SupportedAuthenticationScheme = /* @__PURE__ */ ((SupportedAuthenticationScheme2) => {
@@ -683,8 +711,8 @@ var SupportedAuthenticationScheme = /* @__PURE__ */ ((SupportedAuthenticationSch
 async function verifyJwtProfileAccessToken(options) {
   const decodedJwt = decodeJwt({
     jwt: options.accessToken,
-    headerSchema: vAccessTokenProfileJwtHeader,
-    payloadSchema: vAccessTokenProfileJwtPayload
+    headerSchema: zAccessTokenProfileJwtHeader,
+    payloadSchema: zAccessTokenProfileJwtPayload
   });
   const authorizationServer = options.authorizationServers.find(({ issuer }) => decodedJwt.payload.iss === issuer);
   if (!authorizationServer) {
@@ -727,23 +755,23 @@ import {
   parseWithErrorHandling as parseWithErrorHandling3
 } from "@openid4vc/utils";
-// src/dpop/v-dpop.ts
-import * as v9 from "valibot";
-import { vHttpMethod, vHttpsUrl as vHttpsUrl2, vInteger as vInteger3 } from "@openid4vc/utils";
-var vDpopJwtPayload = v9.looseObject({
-  ...vJwtPayload.entries,
-  iat: vInteger3,
-  htu: vHttpsUrl2,
-  htm: vHttpMethod,
-  jti: v9.string(),
+// src/dpop/z-dpop.ts
+import { zHttpMethod, zHttpsUrl as zHttpsUrl2, zInteger as zInteger3 } from "@openid4vc/utils";
+import z8 from "zod";
+var zDpopJwtPayload = z8.object({
+  ...zJwtPayload.shape,
+  iat: zInteger3,
+  htu: zHttpsUrl2,
+  htm: zHttpMethod,
+  jti: z8.string(),
   // Only required when presenting in combination with access token
-  ath: v9.optional(v9.string())
-});
-var vDpopJwtHeader = v9.looseObject({
-  ...vJwtHeader.entries,
-  typ: v9.literal("dpop+jwt"),
-  jwk: vJwk
-});
+  ath: z8.optional(z8.string())
+}).passthrough();
+var zDpopJwtHeader = z8.object({
+  ...zJwtHeader.shape,
+  typ: z8.literal("dpop+jwt"),
+  jwk: zJwk
+}).passthrough();
 // src/dpop/dpop.ts
 async function createDpopHeadersForRequest(options) {
@@ -757,12 +785,12 @@ async function createDpopJwt(options) {
   if (options.accessToken) {
     ath = encodeToBase64Url2(await options.callbacks.hash(decodeUtf8String2(options.accessToken), "SHA-256" /* Sha256 */));
   }
-  const header = parseWithErrorHandling3(vDpopJwtHeader, {
+  const header = parseWithErrorHandling3(zDpopJwtHeader, {
     typ: "dpop+jwt",
     jwk: options.signer.publicJwk,
     alg: options.signer.alg
   });
-  const payload = parseWithErrorHandling3(vDpopJwtPayload, {
+  const payload = parseWithErrorHandling3(zDpopJwtPayload, {
     htu: htuFromRequestUrl(options.request.url),
     iat: dateToSeconds2(options.issuedAt),
     htm: options.request.method,
@@ -780,8 +808,8 @@ async function createDpopJwt(options) {
 async function verifyDpopJwt(options) {
   const { header, payload } = decodeJwt({
     jwt: options.dpopJwt,
-    headerSchema: vDpopJwtHeader,
-    payloadSchema: vDpopJwtPayload
+    headerSchema: zDpopJwtHeader,
+    payloadSchema: zDpopJwtPayload
   });
   if (options.allowedSigningAlgs && !options.allowedSigningAlgs.includes(header.alg)) {
     throw new Oauth2Error(
@@ -985,37 +1013,37 @@ async function resourceRequest(options) {
 import { ValidationError as ValidationError2 } from "@openid4vc/utils";
 // src/access-token/introspect-token.ts
-import { ContentType as ContentType3, createValibotFetcher as createValibotFetcher3, objectToQueryParams, parseWithErrorHandling as parseWithErrorHandling4 } from "@openid4vc/utils";
+import { ContentType as ContentType3, createZodFetcher as createZodFetcher3, objectToQueryParams, parseWithErrorHandling as parseWithErrorHandling4 } from "@openid4vc/utils";
 import { InvalidFetchResponseError as InvalidFetchResponseError3 } from "@openid4vc/utils";
 import { Headers } from "@openid4vc/utils";
-// src/access-token/v-token-introspection.ts
-import { vInteger as vInteger4 } from "@openid4vc/utils";
-import * as v10 from "valibot";
-var vTokenIntrospectionRequest = v10.looseObject({
-  token: v10.string(),
-  token_type_hint: v10.optional(v10.string())
-});
-var vTokenIntrospectionResponse = v10.looseObject({
-  active: v10.boolean(),
-  scope: v10.optional(v10.string()),
-  client_id: v10.optional(v10.string()),
-  username: v10.optional(v10.string()),
-  token_type: v10.optional(v10.string()),
-  exp: v10.optional(vInteger4),
-  iat: v10.optional(vInteger4),
-  nbf: v10.optional(vInteger4),
-  sub: v10.optional(v10.string()),
-  aud: v10.optional(v10.string()),
-  iss: v10.optional(v10.string()),
-  jti: v10.optional(v10.string()),
-  cnf: v10.optional(vJwtConfirmationPayload)
-});
+// src/access-token/z-token-introspection.ts
+import { zInteger as zInteger4 } from "@openid4vc/utils";
+import z9 from "zod";
+var zTokenIntrospectionRequest = z9.object({
+  token: z9.string(),
+  token_type_hint: z9.optional(z9.string())
+}).passthrough();
+var zTokenIntrospectionResponse = z9.object({
+  active: z9.boolean(),
+  scope: z9.optional(z9.string()),
+  client_id: z9.optional(z9.string()),
+  username: z9.optional(z9.string()),
+  token_type: z9.optional(z9.string()),
+  exp: z9.optional(zInteger4),
+  iat: z9.optional(zInteger4),
+  nbf: z9.optional(zInteger4),
+  sub: z9.optional(z9.string()),
+  aud: z9.optional(z9.string()),
+  iss: z9.optional(z9.string()),
+  jti: z9.optional(z9.string()),
+  cnf: z9.optional(zJwtConfirmationPayload)
+}).passthrough();
 // src/access-token/introspect-token.ts
 async function introspectToken(options) {
-  const fetchWithValibot = createValibotFetcher3(options.callbacks.fetch);
-  const introspectionRequest = parseWithErrorHandling4(vTokenIntrospectionRequest, {
+  const fetchWithZod = createZodFetcher3(options.callbacks.fetch);
+  const introspectionRequest = parseWithErrorHandling4(zTokenIntrospectionRequest, {
     token: options.token,
     token_type_hint: options.tokenTypeHint,
     ...options.additionalPayload
@@ -1035,8 +1063,8 @@ async function introspectToken(options) {
     contentType: ContentType3.XWwwFormUrlencoded,
     headers
   });
-  const { result, response } = await fetchWithValibot(
-    vTokenIntrospectionResponse,
+  const { result, response } = await fetchWithZod(
+    zTokenIntrospectionResponse,
     ContentType3.Json,
     introspectionEndpoint,
     {
@@ -1052,7 +1080,7 @@ async function introspectToken(options) {
       response
     );
   }
-  return result.output;
+  return result.data;
 }
 // src/resource-request/verify-resource-request.ts
@@ -1229,8 +1257,8 @@ function getSupportedClientAuthenticationMethod(authorizationServer, endpointTyp
 }
 function clientAuthenticationDynamic(options) {
   return (callbackOptions) => {
-    const { url: url3, authorizationServerMetata } = callbackOptions;
-    const endpointType = url3 === authorizationServerMetata.introspection_endpoint ? "introspection" : "endpoint";
+    const { url, authorizationServerMetata } = callbackOptions;
+    const endpointType = url === authorizationServerMetata.introspection_endpoint ? "introspection" : "endpoint";
     const method = getSupportedClientAuthenticationMethod(authorizationServerMetata, endpointType);
     if (method === "client_secret_basic" /* ClientSecretBasic */) {
       return clientAuthenticationClientSecretBasic(options)(callbackOptions);
@@ -1268,12 +1296,12 @@ import { parseWithErrorHandling as parseWithErrorHandling11 } from "@openid4vc/u
 // src/access-token/create-access-token.ts
 import { addSecondsToDate, dateToSeconds as dateToSeconds3, encodeToBase64Url as encodeToBase64Url4, parseWithErrorHandling as parseWithErrorHandling5 } from "@openid4vc/utils";
 async function createAccessTokenJwt(options) {
-  const header = parseWithErrorHandling5(vAccessTokenProfileJwtHeader, {
+  const header = parseWithErrorHandling5(zAccessTokenProfileJwtHeader, {
     ...jwtHeaderFromJwtSigner(options.signer),
     typ: "at+jwt"
   });
   const now = options.now ?? /* @__PURE__ */ new Date();
-  const payload = parseWithErrorHandling5(vAccessTokenProfileJwtPayload, {
+  const payload = parseWithErrorHandling5(zAccessTokenProfileJwtPayload, {
     iat: dateToSeconds3(now),
     exp: dateToSeconds3(addSecondsToDate(now, options.expiresInSeconds)),
     aud: options.audience,
@@ -1303,84 +1331,75 @@ async function createAccessTokenJwt(options) {
 // src/access-token/create-access-token-response.ts
 import { parseWithErrorHandling as parseWithErrorHandling6 } from "@openid4vc/utils";
-// src/access-token/v-access-token.ts
-import * as v12 from "valibot";
-import { vHttpsUrl as vHttpsUrl3 } from "@openid4vc/utils";
-// src/v-grant-type.ts
-import * as v11 from "valibot";
-var vPreAuthorizedCodeGrantIdentifier = v11.literal("urn:ietf:params:oauth:grant-type:pre-authorized_code");
-var preAuthorizedCodeGrantIdentifier = vPreAuthorizedCodeGrantIdentifier.literal;
-var vAuthorizationCodeGrantIdentifier = v11.literal("authorization_code");
-var authorizationCodeGrantIdentifier = vAuthorizationCodeGrantIdentifier.literal;
-var vRefreshTokenGrantIdentifier = v11.literal("refresh_token");
-var refreshTokenGrantIdentifier = vRefreshTokenGrantIdentifier.literal;
-// src/access-token/v-access-token.ts
-var vAccessTokenRequest = v12.intersect([
-  v12.looseObject({
+// src/access-token/z-access-token.ts
+import z11 from "zod";
+import { zHttpsUrl as zHttpsUrl3 } from "@openid4vc/utils";
+// src/z-grant-type.ts
+import z10 from "zod";
+var zPreAuthorizedCodeGrantIdentifier = z10.literal("urn:ietf:params:oauth:grant-type:pre-authorized_code");
+var preAuthorizedCodeGrantIdentifier = zPreAuthorizedCodeGrantIdentifier.value;
+var zAuthorizationCodeGrantIdentifier = z10.literal("authorization_code");
+var authorizationCodeGrantIdentifier = zAuthorizationCodeGrantIdentifier.value;
+var zRefreshTokenGrantIdentifier = z10.literal("refresh_token");
+var refreshTokenGrantIdentifier = zRefreshTokenGrantIdentifier.value;
+// src/access-token/z-access-token.ts
+var zAccessTokenRequest = z11.intersection(
+  z11.object({
     // Pre authorized code flow
-    "pre-authorized_code": v12.optional(v12.string()),
+    "pre-authorized_code": z11.optional(z11.string()),
     // Authorization code flow
-    code: v12.optional(v12.string()),
-    redirect_uri: v12.optional(v12.pipe(v12.string(), v12.url())),
+    code: z11.optional(z11.string()),
+    redirect_uri: z11.string().url().optional(),
     // Refresh token grant
-    refresh_token: v12.optional(v12.string()),
-    resource: v12.optional(vHttpsUrl3),
-    code_verifier: v12.optional(v12.string()),
-    grant_type: v12.union([
-      vPreAuthorizedCodeGrantIdentifier,
-      vAuthorizationCodeGrantIdentifier,
-      vRefreshTokenGrantIdentifier,
+    refresh_token: z11.optional(z11.string()),
+    resource: z11.optional(zHttpsUrl3),
+    code_verifier: z11.optional(z11.string()),
+    grant_type: z11.union([
+      zPreAuthorizedCodeGrantIdentifier,
+      zAuthorizationCodeGrantIdentifier,
+      zRefreshTokenGrantIdentifier,
       // string makes the previous ones unessary, but it does help with error messages
-      v12.string()
+      z11.string()
     ])
-  }),
-  v12.pipe(
-    v12.looseObject({
-      tx_code: v12.optional(v12.string()),
-      // user_pin is from OID4VCI draft 11
-      user_pin: v12.optional(v12.string())
-    }),
-    // Check that user_pin and tx_code are the same if both are provided
-    // and transform user_pin to tx_code if only user_pin is provided
-    v12.check(
-      ({ tx_code, user_pin }) => !tx_code || !user_pin || user_pin === tx_code,
-      `If both 'tx_code' and 'user_pin' are present they must match`
-    ),
-    v12.transform(({ tx_code, user_pin, ...rest }) => {
-      return {
-        ...rest,
-        ...tx_code ?? user_pin ? { tx_code: tx_code ?? user_pin } : {}
-      };
-    })
-  )
-]);
-var vAccessTokenResponse = v12.looseObject({
-  access_token: v12.string(),
-  token_type: v12.string(),
-  expires_in: v12.optional(v12.pipe(v12.number(), v12.integer())),
-  scope: v12.optional(v12.string()),
-  state: v12.optional(v12.string()),
-  refresh_token: v12.optional(v12.string()),
+  }).passthrough(),
+  z11.object({
+    tx_code: z11.optional(z11.string()),
+    // user_pin is from OID4VCI draft 11
+    user_pin: z11.optional(z11.string())
+  }).passthrough().refine(({ tx_code, user_pin }) => !tx_code || !user_pin || user_pin === tx_code, {
+    message: `If both 'tx_code' and 'user_pin' are present they must match`
+  }).transform(({ tx_code, user_pin, ...rest }) => {
+    return {
+      ...rest,
+      ...tx_code ?? user_pin ? { tx_code: tx_code ?? user_pin } : {}
+    };
+  })
+);
+var zAccessTokenResponse = z11.object({
+  access_token: z11.string(),
+  token_type: z11.string(),
+  expires_in: z11.optional(z11.number().int()),
+  scope: z11.optional(z11.string()),
+  state: z11.optional(z11.string()),
+  refresh_token: z11.optional(z11.string()),
   // Oid4vci specific parameters
-  c_nonce: v12.optional(v12.string()),
-  c_nonce_expires_in: v12.optional(v12.pipe(v12.number(), v12.integer())),
+  c_nonce: z11.optional(z11.string()),
+  c_nonce_expires_in: z11.optional(z11.number().int()),
   // TODO: add additional params
-  authorization_details: v12.optional(
-    v12.array(
-      v12.looseObject({
-        // requried when type is openid_credential (so we probably need a discriminator)
-        // credential_identifiers: v.array(v.string()),
-      })
-    )
-  )
-});
-var vAccessTokenErrorResponse = vOauth2ErrorResponse;
+  authorization_details: z11.array(
+    z11.object({
+      // requried when type is openid_credential (so we probably need a discriminator)
+      // credential_identifiers: z.array(z.string()),
+    }).passthrough()
+  ).optional()
+}).passthrough();
+var zAccessTokenErrorResponse = zOauth2ErrorResponse;
 // src/access-token/create-access-token-response.ts
 async function createAccessTokenResponse(options) {
-  const accessTokenResponse = parseWithErrorHandling6(vAccessTokenResponse, {
+  const accessTokenResponse = parseWithErrorHandling6(zAccessTokenResponse, {
     access_token: options.accessToken,
     token_type: options.tokenType,
     expires_in: options.expiresInSeconds,
@@ -1392,18 +1411,16 @@ async function createAccessTokenResponse(options) {
 }
 // src/access-token/parse-access-token-request.ts
-import { valibotRecursiveFlattenIssues as valibotRecursiveFlattenIssues2 } from "@openid4vc/utils";
-import * as v13 from "valibot";
 function parseAccessTokenRequest(options) {
-  const parsedAccessTokenRequest = v13.safeParse(vAccessTokenRequest, options.accessTokenRequest);
+  const parsedAccessTokenRequest = zAccessTokenRequest.safeParse(options.accessTokenRequest);
   if (!parsedAccessTokenRequest.success) {
     throw new Oauth2ServerErrorResponseError({
       error: "invalid_request" /* InvalidRequest */,
       error_description: `Error occured during validation of authorization request.
-${JSON.stringify(valibotRecursiveFlattenIssues2(parsedAccessTokenRequest.issues), null, 2)}`
+${JSON.stringify(parsedAccessTokenRequest.error.issues, null, 2)}`
     });
   }
-  const accessTokenRequest = parsedAccessTokenRequest.output;
+  const accessTokenRequest = parsedAccessTokenRequest.data;
   let grant;
   if (accessTokenRequest.grant_type === preAuthorizedCodeGrantIdentifier) {
     if (!accessTokenRequest["pre-authorized_code"]) {
@@ -1629,67 +1646,67 @@ async function verifyAccessTokenRequestPkce(options, callbacks) {
 // src/authorization-challenge/create-authorization-challenge-response.ts
 import { parseWithErrorHandling as parseWithErrorHandling7 } from "@openid4vc/utils";
-// src/authorization-challenge/v-authorization-challenge.ts
-import { vInteger as vInteger5 } from "@openid4vc/utils";
-import * as v15 from "valibot";
-// src/authorization-request/v-authorization-request.ts
-import { vHttpsUrl as vHttpsUrl4 } from "@openid4vc/utils";
-import * as v14 from "valibot";
-var vAuthorizationRequest = v14.looseObject({
-  response_type: v14.string(),
-  client_id: v14.string(),
-  issuer_state: v14.optional(v14.string()),
-  redirect_uri: v14.optional(v14.pipe(v14.string(), v14.url())),
-  resource: v14.optional(vHttpsUrl4),
-  scope: v14.optional(v14.string()),
+// src/authorization-challenge/z-authorization-challenge.ts
+import { zInteger as zInteger5 } from "@openid4vc/utils";
+import z13 from "zod";
+// src/authorization-request/z-authorization-request.ts
+import { zHttpsUrl as zHttpsUrl4 } from "@openid4vc/utils";
+import z12 from "zod";
+var zAuthorizationRequest = z12.object({
+  response_type: z12.string(),
+  client_id: z12.string(),
+  issuer_state: z12.optional(z12.string()),
+  redirect_uri: z12.string().url().optional(),
+  resource: z12.optional(zHttpsUrl4),
+  scope: z12.optional(z12.string()),
   // DPoP jwk thumbprint
-  dpop_jkt: v14.optional(v14.string()),
-  code_challenge: v14.optional(v14.string()),
-  code_challenge_method: v14.optional(v14.string())
-});
-var vPushedAuthorizationRequest = v14.looseObject({
-  request_uri: v14.string(),
-  client_id: v14.string()
-});
-var vPushedAuthorizationResponse = v14.looseObject({
-  request_uri: v14.string(),
-  expires_in: v14.pipe(v14.number(), v14.integer())
-});
-// src/authorization-challenge/v-authorization-challenge.ts
-var vAuthorizationChallengeRequest = v15.looseObject({
+  dpop_jkt: z12.optional(z12.string()),
+  code_challenge: z12.optional(z12.string()),
+  code_challenge_method: z12.optional(z12.string())
+}).passthrough();
+var zPushedAuthorizationRequest = z12.object({
+  request_uri: z12.string(),
+  client_id: z12.string()
+}).passthrough();
+var zPushedAuthorizationResponse = z12.object({
+  request_uri: z12.string(),
+  expires_in: z12.number().int()
+}).passthrough();
+// src/authorization-challenge/z-authorization-challenge.ts
+var zAuthorizationChallengeRequest = z13.object({
   // authorization challenge request can include same parameters as an authorization request
   // except for response_type (always `code`), and `client_id` is optional (becase
   // it's possible to do client authentication using different methods)
-  ...v15.omit(vAuthorizationRequest, ["response_type", "client_id"]).entries,
-  client_id: v15.optional(vAuthorizationRequest.entries.client_id),
-  auth_session: v15.optional(v15.string()),
+  ...zAuthorizationRequest.omit({ response_type: true, client_id: true }).shape,
+  client_id: z13.optional(zAuthorizationRequest.shape.client_id),
+  auth_session: z13.optional(z13.string()),
   // DRAFT presentation during issuance
-  presentation_during_issuance_session: v15.optional(v15.string())
-});
-var vAuthorizationChallengeResponse = v15.looseObject({
-  authorization_code: v15.string()
-});
-var vAuthorizationChallengeErrorResponse = v15.looseObject({
-  ...vOauth2ErrorResponse.entries,
-  auth_session: v15.optional(v15.string()),
-  request_uri: v15.optional(v15.string()),
-  expires_in: v15.optional(vInteger5),
+  presentation_during_issuance_session: z13.optional(z13.string())
+}).passthrough();
+var zAuthorizationChallengeResponse = z13.object({
+  authorization_code: z13.string()
+}).passthrough();
+var zAuthorizationChallengeErrorResponse = z13.object({
+  ...zOauth2ErrorResponse.shape,
+  auth_session: z13.optional(z13.string()),
+  request_uri: z13.optional(z13.string()),
+  expires_in: z13.optional(zInteger5),
   // DRAFT: presentation during issuance
-  presentation: v15.optional(v15.string())
-});
+  presentation: z13.optional(z13.string())
+}).passthrough();
 // src/authorization-challenge/create-authorization-challenge-response.ts
 function createAuthorizationChallengeResponse(options) {
-  const authorizationChallengeResponse = parseWithErrorHandling7(vAuthorizationChallengeResponse, {
+  const authorizationChallengeResponse = parseWithErrorHandling7(zAuthorizationChallengeResponse, {
     ...options.additionalPayload,
     authorization_code: options.authorizationCode
   });
   return { authorizationChallengeResponse };
 }
 function createAuthorizationChallengeErrorResponse(options) {
-  const authorizationChallengeErrorResponse = parseWithErrorHandling7(vAuthorizationChallengeErrorResponse, {
+  const authorizationChallengeErrorResponse = parseWithErrorHandling7(zAuthorizationChallengeErrorResponse, {
     ...options.additionalPayload,
     // General FiPA
     error: options.error,
@@ -1708,7 +1725,7 @@ function createAuthorizationChallengeErrorResponse(options) {
 import { parseWithErrorHandling as parseWithErrorHandling8 } from "@openid4vc/utils";
 function parseAuthorizationChallengeRequest(options) {
   const authorizationChallengeRequest = parseWithErrorHandling8(
-    vAuthorizationChallengeRequest,
+    zAuthorizationChallengeRequest,
     options.authorizationChallengeRequest
   );
   return { authorizationChallengeRequest };
@@ -1717,58 +1734,58 @@ function parseAuthorizationChallengeRequest(options) {
 // src/client-attestation/clent-attestation.ts
 import { dateToSeconds as dateToSeconds4, parseWithErrorHandling as parseWithErrorHandling9 } from "@openid4vc/utils";
-// src/client-attestation/v-client-attestation.ts
-import * as v16 from "valibot";
-import { vHttpsUrl as vHttpsUrl5, vInteger as vInteger6 } from "@openid4vc/utils";
-var vOauthClientAttestationHeader = v16.literal("OAuth-Client-Attestation");
-var oauthClientAttestationHeader = vOauthClientAttestationHeader.literal;
-var vClientAttestationJwtPayload = v16.looseObject({
-  ...vJwtPayload.entries,
-  iss: v16.string(),
-  sub: v16.string(),
-  exp: vInteger6,
-  cnf: v16.looseObject({
-    jwk: vJwk,
-    key_type: v16.optional(
-      v16.union([
-        v16.picklist(["software", "hardware", "tee", "secure_enclave", "strong_box", "secure_element", "hsm"]),
-        v16.string()
+// src/client-attestation/z-client-attestation.ts
+import { zHttpsUrl as zHttpsUrl5, zInteger as zInteger6 } from "@openid4vc/utils";
+import z14 from "zod";
+var zOauthClientAttestationHeader = z14.literal("OAuth-Client-Attestation");
+var oauthClientAttestationHeader = zOauthClientAttestationHeader.value;
+var zClientAttestationJwtPayload = z14.object({
+  ...zJwtPayload.shape,
+  iss: z14.string(),
+  sub: z14.string(),
+  exp: zInteger6,
+  cnf: z14.object({
+    jwk: zJwk,
+    key_type: z14.optional(
+      z14.union([
+        z14.enum(["software", "hardware", "tee", "secure_enclave", "strong_box", "secure_element", "hsm"]),
+        z14.string()
       ])
     ),
-    user_authentication: v16.optional(
-      v16.union([
-        v16.picklist(["system_biometry", "system_pin", "internal_biometry", "internal_pin", "secure_element_pin"]),
-        v16.string()
+    user_authentication: z14.optional(
+      z14.union([
+        z14.enum(["system_biometry", "system_pin", "internal_biometry", "internal_pin", "secure_element_pin"]),
+        z14.string()
       ])
     )
-  }),
-  aal: v16.optional(v16.string())
-});
-var vClientAttestationJwtHeader = v16.looseObject({
-  ...vJwtHeader.entries,
-  typ: v16.literal("oauth-client-attestation+jwt")
-});
-var vOauthClientAttestationPopHeader = v16.literal("OAuth-Client-Attestation-PoP");
-var oauthClientAttestationPopHeader = vOauthClientAttestationPopHeader.literal;
-var vClientAttestationPopJwtPayload = v16.looseObject({
-  ...vJwtPayload.entries,
-  iss: v16.string(),
-  exp: vInteger6,
-  aud: vHttpsUrl5,
-  jti: v16.string(),
-  nonce: v16.optional(v16.string())
-});
-var vClientAttestationPopJwtHeader = v16.looseObject({
-  ...vJwtHeader.entries,
-  typ: v16.literal("oauth-client-attestation-pop+jwt")
-});
+  }).passthrough(),
+  aal: z14.optional(z14.string())
+}).passthrough();
+var zClientAttestationJwtHeader = z14.object({
+  ...zJwtHeader.shape,
+  typ: z14.literal("oauth-client-attestation+jwt")
+}).passthrough();
+var zOauthClientAttestationPopHeader = z14.literal("OAuth-Client-Attestation-PoP");
+var oauthClientAttestationPopHeader = zOauthClientAttestationPopHeader.value;
+var zClientAttestationPopJwtPayload = z14.object({
+  ...zJwtPayload.shape,
+  iss: z14.string(),
+  exp: zInteger6,
+  aud: zHttpsUrl5,
+  jti: z14.string(),
+  nonce: z14.optional(z14.string())
+}).passthrough();
+var zClientAttestationPopJwtHeader = z14.object({
+  ...zJwtHeader.shape,
+  typ: z14.literal("oauth-client-attestation-pop+jwt")
+}).passthrough();
 // src/client-attestation/clent-attestation.ts
 async function verifyClientAttestationJwt(options) {
   const { header, payload } = decodeJwt({
     jwt: options.clientAttestationJwt,
-    headerSchema: vClientAttestationJwtHeader,
-    payloadSchema: vClientAttestationJwtPayload
+    headerSchema: zClientAttestationJwtHeader,
+    payloadSchema: zClientAttestationJwtPayload
   });
   const { signer } = await verifyJwt({
     signer: jwtSignerFromJwt({ header, payload }),
@@ -1786,11 +1803,11 @@ async function verifyClientAttestationJwt(options) {
   };
 }
 async function createClientAttestationJwt(options) {
-  const header = parseWithErrorHandling9(vClientAttestationJwtHeader, {
+  const header = parseWithErrorHandling9(zClientAttestationJwtHeader, {
     typ: "oauth-client-attestation+jwt",
     ...jwtHeaderFromJwtSigner(options.signer)
   });
-  const payload = parseWithErrorHandling9(vClientAttestationJwtPayload, {
+  const payload = parseWithErrorHandling9(zClientAttestationJwtPayload, {
     iss: options.issuer,
     iat: dateToSeconds4(options.issuedAt),
     exp: dateToSeconds4(options.expiresAt),
@@ -1844,8 +1861,8 @@ async function createClientAttestationForRequest(options) {
 async function verifyClientAttestationPopJwt(options) {
   const { header, payload } = decodeJwt({
     jwt: options.clientAttestationPopJwt,
-    headerSchema: vClientAttestationPopJwtHeader,
-    payloadSchema: vClientAttestationPopJwtPayload
+    headerSchema: zClientAttestationPopJwtHeader,
+    payloadSchema: zClientAttestationPopJwtPayload
   });
   if (payload.iss !== options.clientAttestation.payload.sub) {
     throw new Oauth2Error(
@@ -1878,17 +1895,17 @@ async function verifyClientAttestationPopJwt(options) {
   };
 }
 async function createClientAttestationPopJwt(options) {
-  const header = parseWithErrorHandling10(vClientAttestationPopJwtHeader, {
+  const header = parseWithErrorHandling10(zClientAttestationPopJwtHeader, {
     typ: "oauth-client-attestation-pop+jwt",
     alg: options.signer.alg
   });
   const clientAttestation = decodeJwt({
     jwt: options.clientAttestation,
-    headerSchema: vClientAttestationJwtHeader,
-    payloadSchema: vClientAttestationJwtPayload
+    headerSchema: zClientAttestationJwtHeader,
+    payloadSchema: zClientAttestationJwtPayload
   });
   const expiresAt = options.expiresAt ?? addSecondsToDate2(options.issuedAt ?? /* @__PURE__ */ new Date(), 1 * 60);
-  const payload = parseWithErrorHandling10(vClientAttestationPopJwtPayload, {
+  const payload = parseWithErrorHandling10(zClientAttestationPopJwtPayload, {
     aud: options.authorizationServer,
     iss: clientAttestation.payload.sub,
     iat: dateToSeconds5(options.issuedAt),
@@ -1911,7 +1928,7 @@ var Oauth2AuthorizationServer = class {
   }
   createAuthorizationServerMetadata(authorizationServerMetadata) {
     return parseWithErrorHandling11(
-      vAuthorizationServerMetadata,
+      zAuthorizationServerMetadata,
       authorizationServerMetadata,
       "Error validating authorization server metadata"
     );
@@ -2036,9 +2053,8 @@ var Oauth2ResourceServer = class {
 import { objectToQueryParams as objectToQueryParams5 } from "@openid4vc/utils";
 // src/access-token/retrieve-access-token.ts
-import { ContentType as ContentType4, createValibotFetcher as createValibotFetcher4, objectToQueryParams as objectToQueryParams2, parseWithErrorHandling as parseWithErrorHandling12 } from "@openid4vc/utils";
+import { ContentType as ContentType4, createZodFetcher as createZodFetcher4, objectToQueryParams as objectToQueryParams2, parseWithErrorHandling as parseWithErrorHandling12 } from "@openid4vc/utils";
 import { InvalidFetchResponseError as InvalidFetchResponseError4 } from "@openid4vc/utils";
-import * as v17 from "valibot";
 async function retrievePreAuthorizedCodeAccessToken(options) {
   const request = {
     grant_type: preAuthorizedCodeGrantIdentifier,
@@ -2091,9 +2107,9 @@ async function retrieveRefreshTokenAccessToken(options) {
   });
 }
 async function retrieveAccessToken(options) {
-  const fetchWithValibot = createValibotFetcher4(options.callbacks.fetch);
+  const fetchWithZod = createZodFetcher4(options.callbacks.fetch);
   const accessTokenRequest = parseWithErrorHandling12(
-    vAccessTokenRequest,
+    zAccessTokenRequest,
     options.request,
     "Error validating access token request"
   );
@@ -2121,8 +2137,8 @@ async function retrieveAccessToken(options) {
         ...accessTokenRequest,
         ...clientAttestation?.body
       });
-      const { response, result } = await fetchWithValibot(
-        vAccessTokenResponse,
+      const { response, result } = await fetchWithZod(
+        zAccessTokenResponse,
         ContentType4.Json,
         options.authorizationServerMetadata.token_endpoint,
         {
@@ -2136,14 +2152,13 @@ async function retrieveAccessToken(options) {
         }
       );
       if (!response.ok || !result) {
-        const tokenErrorResponse = v17.safeParse(
-          vAccessTokenErrorResponse,
+        const tokenErrorResponse = zAccessTokenErrorResponse.safeParse(
           await response.clone().json().catch(() => null)
         );
         if (tokenErrorResponse.success) {
           throw new Oauth2ClientErrorResponseError(
             `Unable to retrieve access token from '${options.authorizationServerMetadata.token_endpoint}'. Received token error response with status ${response.status}`,
-            tokenErrorResponse.output,
+            tokenErrorResponse.data,
             response
           );
         }
@@ -2154,7 +2169,7 @@ async function retrieveAccessToken(options) {
         );
       }
       if (!result.success) {
-        throw new ValidationError("Error validating access token response", result.issues);
+        throw new ValidationError("Error validating access token response", result.error);
       }
       const dpopNonce = extractDpopNonceFromHeaders(response.headers) ?? void 0;
       return {
@@ -2162,7 +2177,7 @@ async function retrieveAccessToken(options) {
           ...dpop,
           nonce: dpopNonce
         } : void 0,
-        accessTokenResponse: result.output
+        accessTokenResponse: result.data
       };
     }
   });
@@ -2172,14 +2187,13 @@ async function retrieveAccessToken(options) {
 import {
   ContentType as ContentType5,
   ValidationError as ValidationError3,
-  createValibotFetcher as createValibotFetcher5,
+  createZodFetcher as createZodFetcher5,
   objectToQueryParams as objectToQueryParams3,
   parseWithErrorHandling as parseWithErrorHandling13
 } from "@openid4vc/utils";
 import { InvalidFetchResponseError as InvalidFetchResponseError5 } from "@openid4vc/utils";
-import * as v18 from "valibot";
 async function sendAuthorizationChallengeRequest(options) {
-  const fetchWithValibot = createValibotFetcher5(options.callbacks.fetch);
+  const fetchWithZod = createZodFetcher5(options.callbacks.fetch);
   const authorizationServerMetadata = options.authorizationServerMetadata;
   const authorizationChallengeEndpoint = authorizationServerMetadata.authorization_challenge_endpoint;
   if (!authorizationChallengeEndpoint) {
@@ -2197,7 +2211,7 @@ async function sendAuthorizationChallengeRequest(options) {
     clientAttestation: options.clientAttestation,
     callbacks: options.callbacks
   }) : void 0;
-  const authorizationChallengeRequest = parseWithErrorHandling13(vAuthorizationChallengeRequest, {
+  const authorizationChallengeRequest = parseWithErrorHandling13(zAuthorizationChallengeRequest, {
     ...options.additionalRequestPayload,
     auth_session: options.authSession,
     client_id: options.clientId,
@@ -2220,8 +2234,8 @@ async function sendAuthorizationChallengeRequest(options) {
         callbacks: options.callbacks,
         nonce: dpop.nonce
       }) : void 0;
-      const { response, result } = await fetchWithValibot(
-        vAuthorizationChallengeResponse,
+      const { response, result } = await fetchWithZod(
+        zAuthorizationChallengeResponse,
         ContentType5.Json,
         authorizationChallengeEndpoint,
         {
@@ -2235,14 +2249,13 @@ async function sendAuthorizationChallengeRequest(options) {
         }
       );
       if (!response.ok || !result) {
-        const authorizationChallengeErrorResponse = v18.safeParse(
-          vAuthorizationChallengeErrorResponse,
+        const authorizationChallengeErrorResponse = zAuthorizationChallengeErrorResponse.safeParse(
           await response.clone().json().catch(() => null)
         );
         if (authorizationChallengeErrorResponse.success) {
           throw new Oauth2ClientAuthorizationChallengeError(
             `Error requesting authorization code from authorization challenge endpoint '${authorizationServerMetadata.authorization_challenge_endpoint}'. Received response with status ${response.status}`,
-            authorizationChallengeErrorResponse.output,
+            authorizationChallengeErrorResponse.data,
             response
           );
         }
@@ -2253,7 +2266,7 @@ async function sendAuthorizationChallengeRequest(options) {
         );
       }
       if (!result.success) {
-        throw new ValidationError3("Error validating authorization challenge response", result.issues);
+        throw new ValidationError3("Error validating authorization challenge response", result.error);
       }
       const dpopNonce = extractDpopNonceFromHeaders(response.headers) ?? void 0;
       return {
@@ -2262,16 +2275,15 @@ async function sendAuthorizationChallengeRequest(options) {
           ...dpop,
           nonce: dpopNonce
         } : void 0,
-        authorizationChallengeResponse: result.output
+        authorizationChallengeResponse: result.data
       };
     }
   });
 }
 // src/authorization-request/create-authorization-request.ts
-import { ContentType as ContentType6, createValibotFetcher as createValibotFetcher6, objectToQueryParams as objectToQueryParams4 } from "@openid4vc/utils";
+import { ContentType as ContentType6, createZodFetcher as createZodFetcher6, objectToQueryParams as objectToQueryParams4 } from "@openid4vc/utils";
 import { InvalidFetchResponseError as InvalidFetchResponseError6 } from "@openid4vc/utils";
-import * as v19 from "valibot";
 async function createAuthorizationRequestUrl(options) {
   const authorizationServerMetadata = options.authorizationServerMetadata;
   const pushedAuthorizationRequestEndpoint = authorizationServerMetadata.pushed_authorization_request_endpoint;
@@ -2361,14 +2373,14 @@ async function createAuthorizationRequestUrl(options) {
   };
 }
 async function pushAuthorizationRequest(options) {
-  const fetchWithValibot = createValibotFetcher6(options.fetch);
+  const fetchWithZod = createZodFetcher6(options.fetch);
   if (options.authorizationRequest.request_uri) {
     throw new Oauth2Error(
       `Authorization request contains 'request_uri' parameter. This is not allowed for pushed authorization reuqests.`
     );
   }
-  const { response, result } = await fetchWithValibot(
-    vPushedAuthorizationResponse,
+  const { response, result } = await fetchWithZod(
+    zPushedAuthorizationResponse,
     ContentType6.Json,
     options.pushedAuthorizationRequestEndpoint,
     {
@@ -2381,14 +2393,13 @@ async function pushAuthorizationRequest(options) {
     }
   );
   if (!response.ok || !result) {
-    const parErrorResponse = v19.safeParse(
-      vOauth2ErrorResponse,
+    const parErrorResponse = zOauth2ErrorResponse.safeParse(
       await response.clone().json().catch(() => null)
     );
     if (parErrorResponse.success) {
       throw new Oauth2ClientErrorResponseError(
         `Unable to push authorization request to '${options.pushedAuthorizationRequestEndpoint}'. Received response with status ${response.status}`,
-        parErrorResponse.output,
+        parErrorResponse.data,
         response
       );
     }
@@ -2399,12 +2410,12 @@ async function pushAuthorizationRequest(options) {
     );
   }
   if (!result.success) {
-    throw new ValidationError("Error validating pushed authorization response", result.issues);
+    throw new ValidationError("Error validating pushed authorization response", result.error);
   }
   const dpopNonce = extractDpopNonceFromHeaders(response.headers);
   return {
     dpopNonce,
-    pushedAuthorizationResponse: result.output
+    pushedAuthorizationResponse: result.data
   };
 }
@@ -2626,16 +2637,16 @@ export {
   refreshTokenGrantIdentifier,
   resourceRequest,
   setGlobalConfig,
-  vAuthorizationCodeGrantIdentifier,
-  vAuthorizationServerMetadata,
-  vCompactJwt,
-  vJwk,
-  vJwtHeader,
-  vJwtPayload,
-  vOauth2ErrorResponse,
-  vPreAuthorizedCodeGrantIdentifier,
-  vRefreshTokenGrantIdentifier,
   verifyJwt,
-  verifyResourceRequest
+  verifyResourceRequest,
+  zAuthorizationCodeGrantIdentifier,
+  zAuthorizationServerMetadata,
+  zCompactJwt,
+  zJwk,
+  zJwtHeader,
+  zJwtPayload,
+  zOauth2ErrorResponse,
+  zPreAuthorizedCodeGrantIdentifier,
+  zRefreshTokenGrantIdentifier
 };
 //# sourceMappingURL=index.mjs.map