@openid4vc/oauth2 0.3.0-alpha-20250324183425 → 0.3.0-alpha-20250325212250

package/dist/index.mjs

@@ -429,6 +429,303 @@ var zCompactJwe = z6.string().regex(/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*\.[A-Za-z0-9
   message: "Not a valid compact jwe"
 });
 
+// src/client-attestation/clent-attestation.ts
+import { dateToSeconds as dateToSeconds3, parseWithErrorHandling as parseWithErrorHandling5 } from "@openid4vc/utils";
+
+// src/common/jwt/verify-jwt.ts
+import { dateToSeconds } from "@openid4vc/utils";
+
+// src/error/Oauth2JwtVerificationError.ts
+var Oauth2JwtVerificationError = class extends Oauth2Error {
+  constructor(message, options) {
+    const errorMessage = message ?? "Error verifiying jwt.";
+    super(errorMessage, options);
+  }
+};
+
+// src/common/jwt/verify-jwt.ts
+async function verifyJwt(options) {
+  const errorMessage = options.errorMessage ?? "Error during verification of jwt.";
+  let signerJwk;
+  try {
+    const result = await options.verifyJwtCallback(options.signer, {
+      header: options.header,
+      payload: options.payload,
+      compact: options.compact
+    });
+    if (!result.verified) throw new Oauth2JwtVerificationError(errorMessage);
+    signerJwk = result.signerJwk;
+  } catch (error) {
+    if (error instanceof Oauth2JwtVerificationError) throw error;
+    throw new Oauth2JwtVerificationError(errorMessage, { cause: error });
+  }
+  const nowInSeconds = dateToSeconds(options.now ?? /* @__PURE__ */ new Date());
+  const skewInSeconds = options.allowedSkewInSeconds ?? 0;
+  const timeBasedValidation = options.skipTimeBasedValidation !== void 0 ? !options.skipTimeBasedValidation : true;
+  if (timeBasedValidation && options.payload.nbf && nowInSeconds < options.payload.nbf - skewInSeconds) {
+    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nbf' is in the future`);
+  }
+  if (timeBasedValidation && options.payload.exp && nowInSeconds > options.payload.exp + skewInSeconds) {
+    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'exp' is in the past`);
+  }
+  if (options.expectedAudience && options.expectedAudience !== options.payload.aud) {
+    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'aud' does not match expected value.`);
+  }
+  if (options.expectedIssuer && options.expectedIssuer !== options.payload.iss) {
+    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'iss' does not match expected value.`);
+  }
+  if (options.expectedNonce && options.expectedNonce !== options.payload.nonce) {
+    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nonce' does not match expected value.`);
+  }
+  if (options.expectedSubject && options.expectedSubject !== options.payload.sub) {
+    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'sub' does not match expected value.`);
+  }
+  if (options.requiredClaims) {
+    for (const claim of options.requiredClaims) {
+      if (!options.payload[claim]) {
+        throw new Oauth2JwtVerificationError(`${errorMessage} jwt '${claim}' is missing.`);
+      }
+    }
+  }
+  return {
+    signer: {
+      ...options.signer,
+      publicJwk: signerJwk
+    }
+  };
+}
+
+// src/error/Oauth2ServerErrorResponseError.ts
+var Oauth2ServerErrorResponseError = class extends Oauth2Error {
+  constructor(errorResponse, options) {
+    super(
+      `${options?.internalMessage ?? errorResponse.error_description}
+${JSON.stringify(errorResponse, null, 2)}`,
+      options
+    );
+    this.errorResponse = errorResponse;
+    this.status = options?.status ?? 400;
+  }
+};
+
+// src/client-attestation/client-attestation-pop.ts
+import { addSecondsToDate, dateToSeconds as dateToSeconds2, encodeToBase64Url as encodeToBase64Url2, parseWithErrorHandling as parseWithErrorHandling4 } from "@openid4vc/utils";
+
+// src/client-attestation/z-client-attestation.ts
+import { zHttpsUrl, zInteger as zInteger2 } from "@openid4vc/utils";
+import z7 from "zod";
+var zOauthClientAttestationHeader = z7.literal("OAuth-Client-Attestation");
+var oauthClientAttestationHeader = zOauthClientAttestationHeader.value;
+var zClientAttestationJwtPayload = z7.object({
+  ...zJwtPayload.shape,
+  iss: z7.string(),
+  sub: z7.string(),
+  exp: zInteger2,
+  cnf: z7.object({
+    jwk: zJwk
+  }).passthrough(),
+  // OID4VCI Wallet Attestation Extensions
+  wallet_name: z7.string().optional(),
+  wallet_link: z7.string().url().optional()
+}).passthrough();
+var zClientAttestationJwtHeader = z7.object({
+  ...zJwtHeader.shape,
+  typ: z7.literal("oauth-client-attestation+jwt")
+}).passthrough();
+var zOauthClientAttestationPopHeader = z7.literal("OAuth-Client-Attestation-PoP");
+var oauthClientAttestationPopHeader = zOauthClientAttestationPopHeader.value;
+var zClientAttestationPopJwtPayload = z7.object({
+  ...zJwtPayload.shape,
+  iss: z7.string(),
+  exp: zInteger2,
+  aud: zHttpsUrl,
+  jti: z7.string(),
+  nonce: z7.optional(z7.string())
+}).passthrough();
+var zClientAttestationPopJwtHeader = z7.object({
+  ...zJwtHeader.shape,
+  typ: z7.literal("oauth-client-attestation-pop+jwt")
+}).passthrough();
+
+// src/client-attestation/client-attestation-pop.ts
+async function verifyClientAttestationPopJwt(options) {
+  const { header, payload } = decodeJwt({
+    jwt: options.clientAttestationPopJwt,
+    headerSchema: zClientAttestationPopJwtHeader,
+    payloadSchema: zClientAttestationPopJwtPayload
+  });
+  if (payload.iss !== options.clientAttestation.payload.sub) {
+    throw new Oauth2Error(
+      `Client Attestation Pop jwt contains 'iss' (client_id) value '${payload.iss}', but expected 'sub' value from client attestation '${options.clientAttestation.payload.sub}'`
+    );
+  }
+  if (payload.aud !== options.authorizationServer) {
+    throw new Oauth2Error(
+      `Client Attestation Pop jwt contains 'aud' value '${payload.aud}', but expected authorization server identifier '${options.authorizationServer}'`
+    );
+  }
+  const { signer } = await verifyJwt({
+    signer: {
+      alg: header.alg,
+      method: "jwk",
+      publicJwk: options.clientAttestation.payload.cnf.jwk
+    },
+    now: options.now,
+    header,
+    expectedNonce: options.expectedNonce,
+    payload,
+    compact: options.clientAttestationPopJwt,
+    verifyJwtCallback: options.callbacks.verifyJwt,
+    errorMessage: "client attestation pop jwt verification failed"
+  });
+  return {
+    header,
+    payload,
+    signer
+  };
+}
+async function createClientAttestationPopJwt(options) {
+  const clientAttestation = decodeJwt({
+    jwt: options.clientAttestation,
+    headerSchema: zClientAttestationJwtHeader,
+    payloadSchema: zClientAttestationJwtPayload
+  });
+  const signer = options.signer ?? {
+    method: "jwk",
+    alg: clientAttestation.header.alg,
+    publicJwk: clientAttestation.payload.cnf.jwk
+  };
+  const header = parseWithErrorHandling4(zClientAttestationPopJwtHeader, {
+    typ: "oauth-client-attestation-pop+jwt",
+    alg: signer.alg
+  });
+  const expiresAt = options.expiresAt ?? addSecondsToDate(options.issuedAt ?? /* @__PURE__ */ new Date(), 1 * 60);
+  const payload = parseWithErrorHandling4(zClientAttestationPopJwtPayload, {
+    aud: options.authorizationServer,
+    iss: clientAttestation.payload.sub,
+    iat: dateToSeconds2(options.issuedAt),
+    exp: dateToSeconds2(expiresAt),
+    jti: encodeToBase64Url2(await options.callbacks.generateRandom(32)),
+    nonce: options.nonce,
+    ...options.additionalPayload
+  });
+  const { jwt } = await options.callbacks.signJwt(signer, {
+    header,
+    payload
+  });
+  return jwt;
+}
+
+// src/client-attestation/clent-attestation.ts
+async function verifyClientAttestationJwt(options) {
+  const { header, payload } = decodeJwt({
+    jwt: options.clientAttestationJwt,
+    headerSchema: zClientAttestationJwtHeader,
+    payloadSchema: zClientAttestationJwtPayload
+  });
+  const { signer } = await verifyJwt({
+    signer: jwtSignerFromJwt({ header, payload }),
+    now: options.now,
+    header,
+    payload,
+    compact: options.clientAttestationJwt,
+    verifyJwtCallback: options.callbacks.verifyJwt,
+    errorMessage: "client attestation jwt verification failed"
+  });
+  return {
+    header,
+    payload,
+    signer
+  };
+}
+async function createClientAttestationJwt(options) {
+  const header = parseWithErrorHandling5(zClientAttestationJwtHeader, {
+    typ: "oauth-client-attestation+jwt",
+    ...jwtHeaderFromJwtSigner(options.signer)
+  });
+  const payload = parseWithErrorHandling5(zClientAttestationJwtPayload, {
+    iss: options.issuer,
+    iat: dateToSeconds3(options.issuedAt),
+    exp: dateToSeconds3(options.expiresAt),
+    sub: options.clientId,
+    cnf: options.confirmation,
+    ...options.additionalPayload
+  });
+  const { jwt } = await options.callbacks.signJwt(options.signer, {
+    header,
+    payload
+  });
+  return jwt;
+}
+function extractClientAttestationJwtsFromHeaders(headers) {
+  const clientAttestationHeader = headers.get(oauthClientAttestationHeader);
+  const clientAttestationPopHeader = headers.get(oauthClientAttestationPopHeader);
+  if (!clientAttestationHeader && !clientAttestationPopHeader) {
+    return { valid: true };
+  }
+  if (!clientAttestationHeader || !clientAttestationPopHeader) {
+    return { valid: false };
+  }
+  if (!zCompactJwt.safeParse(clientAttestationHeader).success || !zCompactJwt.safeParse(clientAttestationPopHeader).success) {
+    return { valid: false };
+  }
+  return {
+    valid: true,
+    clientAttestationPopHeader,
+    clientAttestationHeader
+  };
+}
+async function verifyClientAttestation({
+  authorizationServer,
+  clientAttestationJwt,
+  clientAttestationPopJwt,
+  callbacks,
+  now
+}) {
+  try {
+    const clientAttestation = await verifyClientAttestationJwt({
+      callbacks,
+      clientAttestationJwt,
+      now
+    });
+    const clientAttestationPop = await verifyClientAttestationPopJwt({
+      callbacks,
+      authorizationServer,
+      clientAttestation,
+      clientAttestationPopJwt,
+      now
+    });
+    return {
+      clientAttestation,
+      clientAttestationPop
+    };
+  } catch (error) {
+    if (error instanceof Oauth2Error) {
+      throw new Oauth2ServerErrorResponseError(
+        {
+          error: "invalid_client" /* InvalidClient */,
+          error_description: `Error verifying client attestation. ${error.message}`
+        },
+        {
+          status: 401,
+          cause: error
+        }
+      );
+    }
+    throw new Oauth2ServerErrorResponseError(
+      {
+        error: "server_error" /* ServerError */,
+        error_description: "Error during verification of client attestation jwt"
+      },
+      {
+        status: 500,
+        cause: error,
+        internalMessage: "Unknown error thrown during verification of client attestation jwt"
+      }
+    );
+  }
+}
+
 // src/index.ts
 import { InvalidFetchResponseError as InvalidFetchResponseError7 } from "@openid4vc/utils";
 
@@ -450,14 +747,6 @@ var Oauth2ClientAuthorizationChallengeError = class extends Oauth2ClientErrorRes
   }
 };
 
-// src/error/Oauth2JwtVerificationError.ts
-var Oauth2JwtVerificationError = class extends Oauth2Error {
-  constructor(message, options) {
-    const errorMessage = message ?? "Error verifiying jwt.";
-    super(errorMessage, options);
-  }
-};
-
 // src/error/Oauth2ResourceUnauthorizedError.ts
 import { encodeWwwAuthenticateHeader, parseWwwAuthenticateHeader } from "@openid4vc/utils";
 var Oauth2ResourceUnauthorizedError = class _Oauth2ResourceUnauthorizedError extends Oauth2Error {
@@ -496,19 +785,6 @@ ${JSON.stringify(wwwAuthenticateHeaders, null, 2)}`);
   }
 };
 
-// src/error/Oauth2ServerErrorResponseError.ts
-var Oauth2ServerErrorResponseError = class extends Oauth2Error {
-  constructor(errorResponse, options) {
-    super(
-      `${options?.internalMessage ?? errorResponse.error_description}
-${JSON.stringify(errorResponse, null, 2)}`,
-      options
-    );
-    this.errorResponse = errorResponse;
-    this.status = options?.status ?? 400;
-  }
-};
-
 // src/metadata/authorization-server/authorization-server-metadata.ts
 import { URL, joinUriParts } from "@openid4vc/utils";
 
@@ -516,7 +792,7 @@ import { URL, joinUriParts } from "@openid4vc/utils";
 import { ContentType, createZodFetcher } from "@openid4vc/utils";
 import { InvalidFetchResponseError } from "@openid4vc/utils";
 
-// ../utils/src/error/ValidationError.ts
+// ../utils/src/zod-error.ts
 import { ZodIssueCode } from "zod";
 var constants = {
   // biome-ignore lint/suspicious/noMisleadingCharacterClass: expected
@@ -524,69 +800,71 @@ var constants = {
   unionSeparator: ", or ",
   issueSeparator: "\n	- "
 };
-var ValidationError = class extends Error {
-  escapeQuotes(str) {
-    return str.replace(/"/g, '\\"');
+function escapeQuotes(str) {
+  return str.replace(/"/g, '\\"');
+}
+function joinPath(path) {
+  if (path.length === 1) {
+    return path[0].toString();
   }
-  joinPath(path) {
-    if (path.length === 1) {
-      return path[0].toString();
-    }
-    return path.reduce((acc, item) => {
-      if (typeof item === "number") {
-        return `${acc}[${item.toString()}]`;
-      }
-      if (item.includes('"')) {
-        return `${acc}["${this.escapeQuotes(item)}"]`;
-      }
-      if (!constants.identifierRegex.test(item)) {
-        return `${acc}["${item}"]`;
-      }
-      const separator = acc.length === 0 ? "" : ".";
-      return acc + separator + item;
-    }, "");
-  }
-  getMessageFromUnionErrors(unionErrors) {
-    return unionErrors.reduce((acc, zodError) => {
-      const newIssues = zodError.issues.map((issue) => this.getMessageFromZodIssue(issue)).join(constants.issueSeparator);
-      if (!acc.includes(newIssues)) acc.push(newIssues);
-      return acc;
-    }, []).join(constants.unionSeparator);
-  }
-  getMessageFromZodIssue(issue) {
-    if (issue.code === ZodIssueCode.invalid_union) {
-      return this.getMessageFromUnionErrors(issue.unionErrors);
+  return path.reduce((acc, item) => {
+    if (typeof item === "number") {
+      return `${acc}[${item.toString()}]`;
     }
-    if (issue.code === ZodIssueCode.invalid_arguments) {
-      return [issue.message, ...issue.argumentsError.issues.map((issue2) => this.getMessageFromZodIssue(issue2))].join(
-        constants.issueSeparator
-      );
+    if (item.includes('"')) {
+      return `${acc}["${escapeQuotes(item)}"]`;
     }
-    if (issue.code === ZodIssueCode.invalid_return_type) {
-      return [issue.message, ...issue.returnTypeError.issues.map((issue2) => this.getMessageFromZodIssue(issue2))].join(
-        constants.issueSeparator
-      );
+    if (!constants.identifierRegex.test(item)) {
+      return `${acc}["${item}"]`;
     }
-    if (issue.path.length !== 0) {
-      if (issue.path.length === 1) {
-        const identifier = issue.path[0];
-        if (typeof identifier === "number") {
-          return `${issue.message} at index ${identifier}`;
-        }
+    const separator = acc.length === 0 ? "" : ".";
+    return acc + separator + item;
+  }, "");
+}
+function getMessageFromZodIssue(issue) {
+  if (issue.code === ZodIssueCode.invalid_union) {
+    return getMessageFromUnionErrors(issue.unionErrors);
+  }
+  if (issue.code === ZodIssueCode.invalid_arguments) {
+    return [issue.message, ...issue.argumentsError.issues.map((issue2) => getMessageFromZodIssue(issue2))].join(
+      constants.issueSeparator
+    );
+  }
+  if (issue.code === ZodIssueCode.invalid_return_type) {
+    return [issue.message, ...issue.returnTypeError.issues.map((issue2) => getMessageFromZodIssue(issue2))].join(
+      constants.issueSeparator
+    );
+  }
+  if (issue.path.length !== 0) {
+    if (issue.path.length === 1) {
+      const identifier = issue.path[0];
+      if (typeof identifier === "number") {
+        return `${issue.message} at index ${identifier}`;
       }
-      return `${issue.message} at "${this.joinPath(issue.path)}"`;
     }
-    return issue.message;
-  }
-  formatError(error) {
-    if (!error) return "";
-    return error?.issues.map((issue) => this.getMessageFromZodIssue(issue)).join(constants.issueSeparator);
+    return `${issue.message} at "${joinPath(issue.path)}"`;
   }
+  return issue.message;
+}
+function getMessageFromUnionErrors(unionErrors) {
+  return unionErrors.reduce((acc, zodError) => {
+    const newIssues = zodError.issues.map((issue) => getMessageFromZodIssue(issue)).join(constants.issueSeparator);
+    if (!acc.includes(newIssues)) acc.push(newIssues);
+    return acc;
+  }, []).join(constants.unionSeparator);
+}
+function formatZodError(error) {
+  if (!error) return "";
+  return `	- ${error?.issues.map((issue) => getMessageFromZodIssue(issue)).join(constants.issueSeparator)}`;
+}
+
+// ../utils/src/error/ValidationError.ts
+var ValidationError = class extends Error {
   constructor(message, zodError) {
     super(message);
-    const formattedError = this.formatError(zodError);
+    const formattedError = formatZodError(zodError);
     this.message = `${message}
-	- ${formattedError}`;
+${formattedError}`;
     Object.defineProperty(this, "zodError", {
       value: zodError,
       writable: false,
@@ -616,31 +894,40 @@ async function fetchWellKnownMetadata(wellKnownMetadataUrl, schema, fetch) {
 }
 
 // src/metadata/authorization-server/z-authorization-server-metadata.ts
-import { zHttpsUrl } from "@openid4vc/utils";
-import z7 from "zod";
-var zAuthorizationServerMetadata = z7.object({
-  issuer: zHttpsUrl,
-  token_endpoint: zHttpsUrl,
-  token_endpoint_auth_methods_supported: z7.optional(z7.array(z7.string())),
-  authorization_endpoint: z7.optional(zHttpsUrl),
-  jwks_uri: z7.optional(zHttpsUrl),
+import { zHttpsUrl as zHttpsUrl2 } from "@openid4vc/utils";
+import z8 from "zod";
+var knownClientAuthenticationMethod = z8.enum([
+  "client_secret_basic",
+  "client_secret_post",
+  "attest_jwt_client_auth",
+  "client_secret_jwt",
+  "private_key_jwt"
+]);
+var zAuthorizationServerMetadata = z8.object({
+  issuer: zHttpsUrl2,
+  token_endpoint: zHttpsUrl2,
+  token_endpoint_auth_methods_supported: z8.optional(z8.array(z8.union([knownClientAuthenticationMethod, z8.string()]))),
+  authorization_endpoint: z8.optional(zHttpsUrl2),
+  jwks_uri: z8.optional(zHttpsUrl2),
   // RFC7636
-  code_challenge_methods_supported: z7.optional(z7.array(z7.string())),
+  code_challenge_methods_supported: z8.optional(z8.array(z8.string())),
   // RFC9449
-  dpop_signing_alg_values_supported: z7.optional(z7.array(z7.string())),
+  dpop_signing_alg_values_supported: z8.optional(z8.array(z8.string())),
   // RFC9126
-  require_pushed_authorization_requests: z7.optional(z7.boolean()),
-  pushed_authorization_request_endpoint: z7.optional(zHttpsUrl),
+  require_pushed_authorization_requests: z8.optional(z8.boolean()),
+  pushed_authorization_request_endpoint: z8.optional(zHttpsUrl2),
   // RFC9068
-  introspection_endpoint: z7.optional(zHttpsUrl),
-  introspection_endpoint_auth_methods_supported: z7.optional(
-    z7.array(z7.union([z7.literal("client_secret_jwt"), z7.literal("private_key_jwt"), z7.string()]))
+  introspection_endpoint: z8.optional(zHttpsUrl2),
+  introspection_endpoint_auth_methods_supported: z8.optional(
+    z8.array(z8.union([knownClientAuthenticationMethod, z8.string()]))
   ),
-  introspection_endpoint_auth_signing_alg_values_supported: z7.optional(z7.array(zAlgValueNotNone)),
+  introspection_endpoint_auth_signing_alg_values_supported: z8.optional(z8.array(zAlgValueNotNone)),
   // FiPA (no RFC yet)
-  authorization_challenge_endpoint: z7.optional(zHttpsUrl),
+  authorization_challenge_endpoint: z8.optional(zHttpsUrl2),
   // From OpenID4VCI specification
-  pre_authorized_grant_anonymous_access_supported: z7.optional(z7.boolean())
+  pre_authorized_grant_anonymous_access_supported: z8.optional(z8.boolean()),
+  // Attestation Based Client Auth (draft 5)
+  client_attestation_pop_nonce_required: z8.boolean().optional()
 }).passthrough().refine(
   ({
     introspection_endpoint_auth_methods_supported: methodsSupported,
@@ -736,78 +1023,25 @@ async function fetchJwks(jwksUrl, fetch) {
   return result.data;
 }
 
-// src/common/jwt/verify-jwt.ts
-import { dateToSeconds } from "@openid4vc/utils";
-async function verifyJwt(options) {
-  const errorMessage = options.errorMessage ?? "Error during verification of jwt.";
-  let signerJwk;
-  try {
-    const result = await options.verifyJwtCallback(options.signer, {
-      header: options.header,
-      payload: options.payload,
-      compact: options.compact
-    });
-    if (!result.verified) throw new Oauth2JwtVerificationError(errorMessage);
-    signerJwk = result.signerJwk;
-  } catch (error) {
-    if (error instanceof Oauth2JwtVerificationError) throw error;
-    throw new Oauth2JwtVerificationError(errorMessage, { cause: error });
-  }
-  const nowInSeconds = dateToSeconds(options.now ?? /* @__PURE__ */ new Date());
-  const skewInSeconds = options.allowedSkewInSeconds ?? 0;
-  const timeBasedValidation = options.skipTimeBasedValidation !== void 0 ? !options.skipTimeBasedValidation : true;
-  if (timeBasedValidation && options.payload.nbf && nowInSeconds < options.payload.nbf - skewInSeconds) {
-    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nbf' is in the future`);
-  }
-  if (timeBasedValidation && options.payload.exp && nowInSeconds > options.payload.exp + skewInSeconds) {
-    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'exp' is in the past`);
-  }
-  if (options.expectedAudience && options.expectedAudience !== options.payload.aud) {
-    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'aud' does not match expected value.`);
-  }
-  if (options.expectedIssuer && options.expectedIssuer !== options.payload.iss) {
-    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'iss' does not match expected value.`);
-  }
-  if (options.expectedNonce && options.expectedNonce !== options.payload.nonce) {
-    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nonce' does not match expected value.`);
-  }
-  if (options.expectedSubject && options.expectedSubject !== options.payload.sub) {
-    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'sub' does not match expected value.`);
-  }
-  if (options.requiredClaims) {
-    for (const claim of options.requiredClaims) {
-      if (!options.payload[claim]) {
-        throw new Oauth2JwtVerificationError(`${errorMessage} jwt '${claim}' is missing.`);
-      }
-    }
-  }
-  return {
-    signer: {
-      ...options.signer,
-      publicJwk: signerJwk
-    }
-  };
-}
-
 // src/access-token/z-access-token-jwt.ts
-import { zInteger as zInteger2 } from "@openid4vc/utils";
-import z8 from "zod";
-var zAccessTokenProfileJwtHeader = z8.object({
+import { zInteger as zInteger3 } from "@openid4vc/utils";
+import z9 from "zod";
+var zAccessTokenProfileJwtHeader = z9.object({
   ...zJwtHeader.shape,
-  typ: z8.enum(["application/at+jwt", "at+jwt"])
+  typ: z9.enum(["application/at+jwt", "at+jwt"])
 }).passthrough();
-var zAccessTokenProfileJwtPayload = z8.object({
+var zAccessTokenProfileJwtPayload = z9.object({
   ...zJwtPayload.shape,
-  iss: z8.string(),
-  exp: zInteger2,
-  iat: zInteger2,
-  aud: z8.string(),
-  sub: z8.string(),
+  iss: z9.string(),
+  exp: zInteger3,
+  iat: zInteger3,
+  aud: z9.string(),
+  sub: z9.string(),
   // REQUIRED according to RFC 9068, but OpenID4VCI allows anonymous access
-  client_id: z8.optional(z8.string()),
-  jti: z8.string(),
+  client_id: z9.optional(z9.string()),
+  jti: z9.string(),
   // SHOULD be included in the authorization request contained it
-  scope: z8.optional(z8.string())
+  scope: z9.optional(z9.string())
 }).passthrough();
 
 // src/access-token/verify-access-token.ts
@@ -863,27 +1097,27 @@ import { createFetcher } from "@openid4vc/utils";
 // src/dpop/dpop.ts
 import {
   URL as URL2,
-  dateToSeconds as dateToSeconds2,
+  dateToSeconds as dateToSeconds4,
   decodeUtf8String as decodeUtf8String2,
-  encodeToBase64Url as encodeToBase64Url2,
-  parseWithErrorHandling as parseWithErrorHandling4
+  encodeToBase64Url as encodeToBase64Url3,
+  parseWithErrorHandling as parseWithErrorHandling6
 } from "@openid4vc/utils";
 
 // src/dpop/z-dpop.ts
-import { zHttpMethod, zHttpsUrl as zHttpsUrl2, zInteger as zInteger3 } from "@openid4vc/utils";
-import z9 from "zod";
-var zDpopJwtPayload = z9.object({
+import { zHttpMethod, zHttpsUrl as zHttpsUrl3, zInteger as zInteger4 } from "@openid4vc/utils";
+import z10 from "zod";
+var zDpopJwtPayload = z10.object({
   ...zJwtPayload.shape,
-  iat: zInteger3,
-  htu: zHttpsUrl2,
+  iat: zInteger4,
+  htu: zHttpsUrl3,
   htm: zHttpMethod,
-  jti: z9.string(),
+  jti: z10.string(),
   // Only required when presenting in combination with access token
-  ath: z9.optional(z9.string())
+  ath: z10.optional(z10.string())
 }).passthrough();
-var zDpopJwtHeader = z9.object({
+var zDpopJwtHeader = z10.object({
   ...zJwtHeader.shape,
-  typ: z9.literal("dpop+jwt"),
+  typ: z10.literal("dpop+jwt"),
   jwk: zJwk
 }).passthrough();
 
@@ -897,18 +1131,18 @@ async function createDpopHeadersForRequest(options) {
 async function createDpopJwt(options) {
   let ath = void 0;
   if (options.accessToken) {
-    ath = encodeToBase64Url2(await options.callbacks.hash(decodeUtf8String2(options.accessToken), "sha-256" /* Sha256 */));
+    ath = encodeToBase64Url3(await options.callbacks.hash(decodeUtf8String2(options.accessToken), "sha-256" /* Sha256 */));
   }
-  const header = parseWithErrorHandling4(zDpopJwtHeader, {
+  const header = parseWithErrorHandling6(zDpopJwtHeader, {
     typ: "dpop+jwt",
     jwk: options.signer.publicJwk,
     alg: options.signer.alg
   });
-  const payload = parseWithErrorHandling4(zDpopJwtPayload, {
+  const payload = parseWithErrorHandling6(zDpopJwtPayload, {
     htu: htuFromRequestUrl(options.request.url),
-    iat: dateToSeconds2(options.issuedAt),
+    iat: dateToSeconds4(options.issuedAt),
     htm: options.request.method,
-    jti: encodeToBase64Url2(await options.callbacks.generateRandom(32)),
+    jti: encodeToBase64Url3(await options.callbacks.generateRandom(32)),
     ath,
     nonce: options.nonce,
     ...options.additionalPayload
@@ -920,75 +1154,86 @@ async function createDpopJwt(options) {
   return jwt;
 }
 async function verifyDpopJwt(options) {
-  const { header, payload } = decodeJwt({
-    jwt: options.dpopJwt,
-    headerSchema: zDpopJwtHeader,
-    payloadSchema: zDpopJwtPayload
-  });
-  if (options.allowedSigningAlgs && !options.allowedSigningAlgs.includes(header.alg)) {
-    throw new Oauth2Error(
-      `dpop jwt uses alg value '${header.alg}' but allowed dpop signging alg values are ${options.allowedSigningAlgs.join(", ")}.`
-    );
-  }
-  if (options.expectedNonce) {
-    if (!payload.nonce) {
-      throw new Oauth2Error(`Dpop jwt does not have a nonce value, but expected nonce value '${options.expectedNonce}'`);
+  try {
+    const { header, payload } = decodeJwt({
+      jwt: options.dpopJwt,
+      headerSchema: zDpopJwtHeader,
+      payloadSchema: zDpopJwtPayload
+    });
+    if (options.allowedSigningAlgs && !options.allowedSigningAlgs.includes(header.alg)) {
+      throw new Oauth2Error(
+        `dpop jwt uses alg value '${header.alg}' but allowed dpop signging alg values are ${options.allowedSigningAlgs.join(", ")}.`
+      );
+    }
+    if (options.expectedNonce) {
+      if (!payload.nonce) {
+        throw new Oauth2Error(
+          `Dpop jwt does not have a nonce value, but expected nonce value '${options.expectedNonce}'`
+        );
+      }
+      if (payload.nonce !== options.expectedNonce) {
+        throw new Oauth2Error(
+          `Dpop jwt contains nonce value '${payload.nonce}', but expected nonce value '${options.expectedNonce}'`
+        );
+      }
     }
-    if (payload.nonce !== options.expectedNonce) {
+    if (options.request.method !== payload.htm) {
       throw new Oauth2Error(
-        `Dpop jwt contains nonce value '${payload.nonce}', but expected nonce value '${options.expectedNonce}'`
+        `Dpop jwt contains htm value '${payload.htm}', but expected htm value '${options.request.method}'`
       );
     }
-  }
-  if (options.request.method !== payload.htm) {
-    throw new Oauth2Error(
-      `Dpop jwt contains htm value '${payload.htm}', but expected htm value '${options.request.method}'`
-    );
-  }
-  const expectedHtu = htuFromRequestUrl(options.request.url);
-  if (expectedHtu !== payload.htu) {
-    throw new Oauth2Error(`Dpop jwt contains htu value '${payload.htu}', but expected htu value '${expectedHtu}'.`);
-  }
-  if (options.accessToken) {
-    const expectedAth = encodeToBase64Url2(
-      await options.callbacks.hash(decodeUtf8String2(options.accessToken), "sha-256" /* Sha256 */)
-    );
-    if (!payload.ath) {
-      throw new Oauth2Error(`Dpop jwt does not have a ath value, but expected ath value '${expectedAth}'.`);
+    const expectedHtu = htuFromRequestUrl(options.request.url);
+    if (expectedHtu !== payload.htu) {
+      throw new Oauth2Error(`Dpop jwt contains htu value '${payload.htu}', but expected htu value '${expectedHtu}'.`);
     }
-    if (payload.ath !== expectedAth) {
-      throw new Oauth2Error(`Dpop jwt contains ath value '${payload.ath}', but expected ath value '${expectedAth}'.`);
+    if (options.accessToken) {
+      const expectedAth = encodeToBase64Url3(
+        await options.callbacks.hash(decodeUtf8String2(options.accessToken), "sha-256" /* Sha256 */)
+      );
+      if (!payload.ath) {
+        throw new Oauth2Error(`Dpop jwt does not have a ath value, but expected ath value '${expectedAth}'.`);
+      }
+      if (payload.ath !== expectedAth) {
+        throw new Oauth2Error(`Dpop jwt contains ath value '${payload.ath}', but expected ath value '${expectedAth}'.`);
+      }
     }
-  }
-  if (options.expectedJwkThumbprint) {
-    const jwkThumprint = await calculateJwkThumbprint({
+    const jwkThumbprint = await calculateJwkThumbprint({
       hashAlgorithm: "sha-256" /* Sha256 */,
       hashCallback: options.callbacks.hash,
       jwk: header.jwk
     });
-    if (options.expectedJwkThumbprint !== jwkThumprint) {
+    if (options.expectedJwkThumbprint && options.expectedJwkThumbprint !== jwkThumbprint) {
       throw new Oauth2Error(
-        `Dpop is signed with jwk with thumbprint value '${jwkThumprint}', but expect jwk thumbprint value '${options.expectedJwkThumbprint}'`
+        `Dpop is signed with jwk with thumbprint value '${jwkThumbprint}', but expect jwk thumbprint value '${options.expectedJwkThumbprint}'`
       );
     }
+    await verifyJwt({
+      signer: {
+        alg: header.alg,
+        method: "jwk",
+        publicJwk: header.jwk
+      },
+      now: options.now,
+      header,
+      payload,
+      compact: options.dpopJwt,
+      verifyJwtCallback: options.callbacks.verifyJwt,
+      errorMessage: "dpop jwt verification failed"
+    });
+    return {
+      header,
+      payload,
+      jwkThumbprint
+    };
+  } catch (error) {
+    if (error instanceof Oauth2Error) {
+      throw new Oauth2ServerErrorResponseError({
+        error: "invalid_dpop_proof" /* InvalidDpopProof */,
+        error_description: error.message
+      });
+    }
+    throw error;
   }
-  await verifyJwt({
-    signer: {
-      alg: header.alg,
-      method: "jwk",
-      publicJwk: header.jwk
-    },
-    now: options.now,
-    header,
-    payload,
-    compact: options.dpopJwt,
-    verifyJwtCallback: options.callbacks.verifyJwt,
-    errorMessage: "dpop jwt verification failed"
-  });
-  return {
-    header,
-    payload
-  };
 }
 function htuFromRequestUrl(requestUrl) {
   const htu = new URL2(requestUrl);
@@ -1001,10 +1246,13 @@ function extractDpopNonceFromHeaders(headers) {
 }
 function extractDpopJwtFromHeaders(headers) {
   const dpopJwt = headers.get("DPoP");
-  if (dpopJwt && (typeof dpopJwt !== "string" || dpopJwt.includes(","))) {
+  if (!dpopJwt) {
+    return { valid: true };
+  }
+  if (!zCompactJwt.safeParse(dpopJwt).success) {
     return { valid: false };
   }
-  return { valid: true, dpopJwt: dpopJwt ?? void 0 };
+  return { valid: true, dpopJwt };
 }
 
 // src/dpop/dpop-retry.ts
@@ -1126,37 +1374,37 @@ async function resourceRequest(options) {
 import { ValidationError as ValidationError2 } from "@openid4vc/utils";
 
 // src/access-token/introspect-token.ts
-import { ContentType as ContentType3, createZodFetcher as createZodFetcher3, objectToQueryParams, parseWithErrorHandling as parseWithErrorHandling5 } from "@openid4vc/utils";
+import { ContentType as ContentType3, createZodFetcher as createZodFetcher3, objectToQueryParams, parseWithErrorHandling as parseWithErrorHandling7 } from "@openid4vc/utils";
 import { InvalidFetchResponseError as InvalidFetchResponseError3 } from "@openid4vc/utils";
 import { Headers } from "@openid4vc/utils";
 
 // src/access-token/z-token-introspection.ts
-import { zInteger as zInteger4 } from "@openid4vc/utils";
-import z10 from "zod";
-var zTokenIntrospectionRequest = z10.object({
-  token: z10.string(),
-  token_type_hint: z10.optional(z10.string())
+import { zInteger as zInteger5 } from "@openid4vc/utils";
+import z11 from "zod";
+var zTokenIntrospectionRequest = z11.object({
+  token: z11.string(),
+  token_type_hint: z11.optional(z11.string())
 }).passthrough();
-var zTokenIntrospectionResponse = z10.object({
-  active: z10.boolean(),
-  scope: z10.optional(z10.string()),
-  client_id: z10.optional(z10.string()),
-  username: z10.optional(z10.string()),
-  token_type: z10.optional(z10.string()),
-  exp: z10.optional(zInteger4),
-  iat: z10.optional(zInteger4),
-  nbf: z10.optional(zInteger4),
-  sub: z10.optional(z10.string()),
-  aud: z10.optional(z10.string()),
-  iss: z10.optional(z10.string()),
-  jti: z10.optional(z10.string()),
-  cnf: z10.optional(zJwtConfirmationPayload)
+var zTokenIntrospectionResponse = z11.object({
+  active: z11.boolean(),
+  scope: z11.optional(z11.string()),
+  client_id: z11.optional(z11.string()),
+  username: z11.optional(z11.string()),
+  token_type: z11.optional(z11.string()),
+  exp: z11.optional(zInteger5),
+  iat: z11.optional(zInteger5),
+  nbf: z11.optional(zInteger5),
+  sub: z11.optional(z11.string()),
+  aud: z11.optional(z11.string()),
+  iss: z11.optional(z11.string()),
+  jti: z11.optional(z11.string()),
+  cnf: z11.optional(zJwtConfirmationPayload)
 }).passthrough();
 
 // src/access-token/introspect-token.ts
 async function introspectToken(options) {
   const fetchWithZod = createZodFetcher3(options.callbacks.fetch);
-  const introspectionRequest = parseWithErrorHandling5(zTokenIntrospectionRequest, {
+  const introspectionRequest = parseWithErrorHandling7(zTokenIntrospectionRequest, {
     token: options.token,
     token_type_hint: options.tokenTypeHint,
     ...options.additionalPayload
@@ -1171,7 +1419,7 @@ async function introspectToken(options) {
   await options.callbacks.clientAuthentication({
     url: introspectionEndpoint,
     method: "POST",
-    authorizationServerMetata: options.authorizationServerMetadata,
+    authorizationServerMetadata: options.authorizationServerMetadata,
     body: introspectionRequest,
     contentType: ContentType3.XWwwFormUrlencoded,
     headers
@@ -1323,7 +1571,7 @@ async function verifyResourceRequest(options) {
   }
   return {
     tokenPayload,
-    dpopJwk,
+    dpop: dpopJwk ? { jwk: dpopJwk } : void 0,
     scheme,
     accessToken,
     authorizationServer: authorizationServer.issuer
@@ -1331,10 +1579,23 @@ async function verifyResourceRequest(options) {
 }
 
 // src/client-authentication.ts
-import { decodeUtf8String as decodeUtf8String3, encodeToBase64Url as encodeToBase64Url3 } from "@openid4vc/utils";
+import { decodeUtf8String as decodeUtf8String3, encodeToBase64Url as encodeToBase64Url4 } from "@openid4vc/utils";
+
+// src/z-grant-type.ts
+import z12 from "zod";
+var zPreAuthorizedCodeGrantIdentifier = z12.literal("urn:ietf:params:oauth:grant-type:pre-authorized_code");
+var preAuthorizedCodeGrantIdentifier = zPreAuthorizedCodeGrantIdentifier.value;
+var zAuthorizationCodeGrantIdentifier = z12.literal("authorization_code");
+var authorizationCodeGrantIdentifier = zAuthorizationCodeGrantIdentifier.value;
+var zRefreshTokenGrantIdentifier = z12.literal("refresh_token");
+var refreshTokenGrantIdentifier = zRefreshTokenGrantIdentifier.value;
+
+// src/client-authentication.ts
 var SupportedClientAuthenticationMethod = /* @__PURE__ */ ((SupportedClientAuthenticationMethod2) => {
   SupportedClientAuthenticationMethod2["ClientSecretBasic"] = "client_secret_basic";
   SupportedClientAuthenticationMethod2["ClientSecretPost"] = "client_secret_post";
+  SupportedClientAuthenticationMethod2["ClientAttestationJwt"] = "attest_jwt_client_auth";
+  SupportedClientAuthenticationMethod2["None"] = "none";
   return SupportedClientAuthenticationMethod2;
 })(SupportedClientAuthenticationMethod || {});
 function getSupportedClientAuthenticationMethod(authorizationServer, endpointType) {
@@ -1370,15 +1631,21 @@ function getSupportedClientAuthenticationMethod(authorizationServer, endpointTyp
 }
 function clientAuthenticationDynamic(options) {
   return (callbackOptions) => {
-    const { url, authorizationServerMetata } = callbackOptions;
-    const endpointType = url === authorizationServerMetata.introspection_endpoint ? "introspection" : "endpoint";
-    const method = getSupportedClientAuthenticationMethod(authorizationServerMetata, endpointType);
+    const { url, authorizationServerMetadata, body } = callbackOptions;
+    const endpointType = url === authorizationServerMetadata.introspection_endpoint ? "introspection" : url === authorizationServerMetadata.token_endpoint ? "token" : "endpoint";
+    const method = getSupportedClientAuthenticationMethod(authorizationServerMetadata, endpointType);
+    if (endpointType === "token" && body.grant_type === preAuthorizedCodeGrantIdentifier && authorizationServerMetadata.pre_authorized_grant_anonymous_access_supported) {
+      return clientAuthenticationAnonymous()(callbackOptions);
+    }
     if (method === "client_secret_basic" /* ClientSecretBasic */) {
       return clientAuthenticationClientSecretBasic(options)(callbackOptions);
     }
     if (method === "client_secret_post" /* ClientSecretPost */) {
       return clientAuthenticationClientSecretPost(options)(callbackOptions);
     }
+    if (method === "none" /* None */) {
+      return clientAuthenticationNone(options)(callbackOptions);
+    }
     throw new Oauth2Error(
       `Unsupported client auth method ${method}. Supported values are ${Object.values(
         SupportedClientAuthenticationMethod
@@ -1394,40 +1661,61 @@ function clientAuthenticationClientSecretPost(options) {
 }
 function clientAuthenticationClientSecretBasic(options) {
   return ({ headers }) => {
-    const authorization = encodeToBase64Url3(decodeUtf8String3(`${options.clientId}:${options.clientSecret}`));
+    const authorization = encodeToBase64Url4(decodeUtf8String3(`${options.clientId}:${options.clientSecret}`));
     headers.set("Authorization", `Basic ${authorization}`);
   };
 }
-function clientAuthenticationNone() {
+function clientAuthenticationNone(options) {
+  return ({ body }) => {
+    body.client_id = options.clientId;
+  };
+}
+function clientAuthenticationAnonymous() {
   return () => {
   };
 }
+function clientAuthenticationClientAttestationJwt(options) {
+  return async ({ headers, authorizationServerMetadata }) => {
+    const clientAttestationPop = await createClientAttestationPopJwt({
+      authorizationServer: authorizationServerMetadata.issuer,
+      callbacks: options.callbacks,
+      clientAttestation: options.clientAttestationJwt
+      // TODO: support client attestation nonce
+      // We can fetch it before making the request if we don't have a nonce
+      // https://www.ietf.org/archive/id/draft-ietf-oauth-attestation-based-client-auth-05.html
+      // https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/101
+      // nonce:
+    });
+    headers.set(oauthClientAttestationHeader, options.clientAttestationJwt);
+    headers.set(oauthClientAttestationPopHeader, clientAttestationPop);
+  };
+}
 
 // src/Oauth2AuthorizationServer.ts
 import { parseWithErrorHandling as parseWithErrorHandling12 } from "@openid4vc/utils";
 
 // src/access-token/create-access-token.ts
-import { addSecondsToDate, dateToSeconds as dateToSeconds3, encodeToBase64Url as encodeToBase64Url4, parseWithErrorHandling as parseWithErrorHandling6 } from "@openid4vc/utils";
+import { addSecondsToDate as addSecondsToDate2, dateToSeconds as dateToSeconds5, encodeToBase64Url as encodeToBase64Url5, parseWithErrorHandling as parseWithErrorHandling8 } from "@openid4vc/utils";
 async function createAccessTokenJwt(options) {
-  const header = parseWithErrorHandling6(zAccessTokenProfileJwtHeader, {
+  const header = parseWithErrorHandling8(zAccessTokenProfileJwtHeader, {
     ...jwtHeaderFromJwtSigner(options.signer),
     typ: "at+jwt"
   });
   const now = options.now ?? /* @__PURE__ */ new Date();
-  const payload = parseWithErrorHandling6(zAccessTokenProfileJwtPayload, {
-    iat: dateToSeconds3(now),
-    exp: dateToSeconds3(addSecondsToDate(now, options.expiresInSeconds)),
+  const payload = parseWithErrorHandling8(zAccessTokenProfileJwtPayload, {
+    iat: dateToSeconds5(now),
+    exp: dateToSeconds5(addSecondsToDate2(now, options.expiresInSeconds)),
     aud: options.audience,
     iss: options.authorizationServer,
-    jti: encodeToBase64Url4(await options.callbacks.generateRandom(32)),
+    jti: encodeToBase64Url5(await options.callbacks.generateRandom(32)),
     client_id: options.clientId,
     sub: options.subject,
     scope: options.scope,
-    cnf: options.dpopJwk ? {
+    cnf: options.dpop ? {
       jkt: await calculateJwkThumbprint({
         hashAlgorithm: "sha-256" /* Sha256 */,
         hashCallback: options.callbacks.hash,
-        jwk: options.dpopJwk
+        jwk: options.dpop.jwk
       })
     } : void 0,
     ...options.additionalPayload
@@ -1442,45 +1730,34 @@ async function createAccessTokenJwt(options) {
 }
 
 // src/access-token/create-access-token-response.ts
-import { parseWithErrorHandling as parseWithErrorHandling7 } from "@openid4vc/utils";
-
-// src/access-token/z-access-token.ts
-import z12 from "zod";
-import { zHttpsUrl as zHttpsUrl3 } from "@openid4vc/utils";
-
-// src/z-grant-type.ts
-import z11 from "zod";
-var zPreAuthorizedCodeGrantIdentifier = z11.literal("urn:ietf:params:oauth:grant-type:pre-authorized_code");
-var preAuthorizedCodeGrantIdentifier = zPreAuthorizedCodeGrantIdentifier.value;
-var zAuthorizationCodeGrantIdentifier = z11.literal("authorization_code");
-var authorizationCodeGrantIdentifier = zAuthorizationCodeGrantIdentifier.value;
-var zRefreshTokenGrantIdentifier = z11.literal("refresh_token");
-var refreshTokenGrantIdentifier = zRefreshTokenGrantIdentifier.value;
+import { parseWithErrorHandling as parseWithErrorHandling9 } from "@openid4vc/utils";
 
 // src/access-token/z-access-token.ts
-var zAccessTokenRequest = z12.intersection(
-  z12.object({
+import z13 from "zod";
+import { zHttpsUrl as zHttpsUrl4 } from "@openid4vc/utils";
+var zAccessTokenRequest = z13.intersection(
+  z13.object({
     // Pre authorized code flow
-    "pre-authorized_code": z12.optional(z12.string()),
+    "pre-authorized_code": z13.optional(z13.string()),
     // Authorization code flow
-    code: z12.optional(z12.string()),
-    redirect_uri: z12.string().url().optional(),
+    code: z13.optional(z13.string()),
+    redirect_uri: z13.string().url().optional(),
     // Refresh token grant
-    refresh_token: z12.optional(z12.string()),
-    resource: z12.optional(zHttpsUrl3),
-    code_verifier: z12.optional(z12.string()),
-    grant_type: z12.union([
+    refresh_token: z13.optional(z13.string()),
+    resource: z13.optional(zHttpsUrl4),
+    code_verifier: z13.optional(z13.string()),
+    grant_type: z13.union([
       zPreAuthorizedCodeGrantIdentifier,
       zAuthorizationCodeGrantIdentifier,
       zRefreshTokenGrantIdentifier,
       // string makes the previous ones unessary, but it does help with error messages
-      z12.string()
+      z13.string()
     ])
   }).passthrough(),
-  z12.object({
-    tx_code: z12.optional(z12.string()),
+  z13.object({
+    tx_code: z13.optional(z13.string()),
     // user_pin is from OpenID4VCI draft 11
-    user_pin: z12.optional(z12.string())
+    user_pin: z13.optional(z13.string())
   }).passthrough().refine(({ tx_code, user_pin }) => !tx_code || !user_pin || user_pin === tx_code, {
     message: `If both 'tx_code' and 'user_pin' are present they must match`
   }).transform(({ tx_code, user_pin, ...rest }) => {
@@ -1490,20 +1767,20 @@ var zAccessTokenRequest = z12.intersection(
     };
   })
 );
-var zAccessTokenResponse = z12.object({
-  access_token: z12.string(),
-  token_type: z12.string(),
-  expires_in: z12.optional(z12.number().int()),
-  scope: z12.optional(z12.string()),
-  state: z12.optional(z12.string()),
-  refresh_token: z12.optional(z12.string()),
+var zAccessTokenResponse = z13.object({
+  access_token: z13.string(),
+  token_type: z13.string(),
+  expires_in: z13.optional(z13.number().int()),
+  scope: z13.optional(z13.string()),
+  state: z13.optional(z13.string()),
+  refresh_token: z13.optional(z13.string()),
   // OpenID4VCI specific parameters
-  c_nonce: z12.optional(z12.string()),
-  c_nonce_expires_in: z12.optional(z12.number().int()),
+  c_nonce: z13.optional(z13.string()),
+  c_nonce_expires_in: z13.optional(z13.number().int()),
   // TODO: add additional params
-  authorization_details: z12.array(
-    z12.object({
-      // requried when type is openid_credential (so we probably need a discriminator)
+  authorization_details: z13.array(
+    z13.object({
+      // required when type is openid_credential (so we probably need a discriminator)
       // credential_identifiers: z.array(z.string()),
     }).passthrough()
   ).optional()
@@ -1512,7 +1789,7 @@ var zAccessTokenErrorResponse = zOauth2ErrorResponse;
 
 // src/access-token/create-access-token-response.ts
 async function createAccessTokenResponse(options) {
-  const accessTokenResponse = parseWithErrorHandling7(zAccessTokenResponse, {
+  const accessTokenResponse = parseWithErrorHandling9(zAccessTokenResponse, {
     access_token: options.accessToken,
     token_type: options.tokenType,
     expires_in: options.expiresInSeconds,
@@ -1524,13 +1801,14 @@ async function createAccessTokenResponse(options) {
 }
 
 // src/access-token/parse-access-token-request.ts
+import { formatZodError as formatZodError2 } from "@openid4vc/utils";
 function parseAccessTokenRequest(options) {
   const parsedAccessTokenRequest = zAccessTokenRequest.safeParse(options.accessTokenRequest);
   if (!parsedAccessTokenRequest.success) {
     throw new Oauth2ServerErrorResponseError({
       error: "invalid_request" /* InvalidRequest */,
       error_description: `Error occured during validation of authorization request.
-${JSON.stringify(parsedAccessTokenRequest.error.issues, null, 2)}`
+${formatZodError2(parsedAccessTokenRequest.error)}`
     });
   }
   const accessTokenRequest = parsedAccessTokenRequest.data;
@@ -1571,17 +1849,30 @@ ${JSON.stringify(parsedAccessTokenRequest.error.issues, null, 2)}`
       error_description: `Request contains a 'DPoP' header, but the value is not a valid DPoP jwt`
     });
   }
+  const extractedClientAttestationJwts = extractClientAttestationJwtsFromHeaders(options.request.headers);
+  if (!extractedClientAttestationJwts.valid) {
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_client" /* InvalidClient */,
+      error_description: "Request contains client attestation header, but the values are not valid client attestation and client attestation PoP header."
+    });
+  }
   const pkceCodeVerifier = accessTokenRequest.code_verifier;
   return {
     accessTokenRequest,
     grant,
-    dpopJwt: extractedDpopJwt.dpopJwt,
+    dpop: extractedDpopJwt.dpopJwt ? {
+      jwt: extractedDpopJwt.dpopJwt
+    } : void 0,
+    clientAttestation: extractedClientAttestationJwts.clientAttestationHeader ? {
+      clientAttestationJwt: extractedClientAttestationJwts.clientAttestationHeader,
+      clientAttestationPopJwt: extractedClientAttestationJwts.clientAttestationPopHeader
+    } : void 0,
     pkceCodeVerifier
   };
 }
 
 // src/pkce.ts
-import { decodeUtf8String as decodeUtf8String4, encodeToBase64Url as encodeToBase64Url5 } from "@openid4vc/utils";
+import { decodeUtf8String as decodeUtf8String4, encodeToBase64Url as encodeToBase64Url6 } from "@openid4vc/utils";
 var PkceCodeChallengeMethod = /* @__PURE__ */ ((PkceCodeChallengeMethod2) => {
   PkceCodeChallengeMethod2["Plain"] = "plain";
   PkceCodeChallengeMethod2["S256"] = "S256";
@@ -1596,7 +1887,7 @@ async function createPkce(options) {
     throw new Oauth2Error(`Unable to create PKCE code verifier. 'allowedCodeChallengeMethods' is an empty array.`);
   }
   const codeChallengeMethod = allowedCodeChallengeMethods.includes("S256" /* S256 */) ? "S256" /* S256 */ : "plain" /* Plain */;
-  const codeVerifier = options.codeVerifier ?? encodeToBase64Url5(await options.callbacks.generateRandom(64));
+  const codeVerifier = options.codeVerifier ?? encodeToBase64Url6(await options.callbacks.generateRandom(64));
   return {
     codeVerifier,
     codeChallenge: await calculateCodeChallenge({
@@ -1624,13 +1915,24 @@ async function calculateCodeChallenge(options) {
     return options.codeVerifier;
   }
   if (options.codeChallengeMethod === "S256" /* S256 */) {
-    return encodeToBase64Url5(await options.hashCallback(decodeUtf8String4(options.codeVerifier), "sha-256" /* Sha256 */));
+    return encodeToBase64Url6(await options.hashCallback(decodeUtf8String4(options.codeVerifier), "sha-256" /* Sha256 */));
   }
   throw new Oauth2Error(`Unsupported code challenge method ${options.codeChallengeMethod}`);
 }
 
 // src/access-token/verify-access-token-request.ts
 async function verifyPreAuthorizedCodeAccessTokenRequest(options) {
+  if (options.pkce) {
+    await verifyAccessTokenRequestPkce(options.pkce, options.callbacks);
+  }
+  const dpopResult = options.dpop ? await verifyAccessTokenRequestDpop(options.dpop, options.request, options.callbacks) : void 0;
+  const clientAttestationResult = options.clientAttestation ? await verifyAccessTokenRequestClientAttestation(
+    options.clientAttestation,
+    options.authorizationServerMetadata,
+    options.callbacks,
+    dpopResult?.jwkThumbprint,
+    options.now
+  ) : void 0;
   if (options.grant.preAuthorizedCode !== options.expectedPreAuthorizedCode) {
     throw new Oauth2ServerErrorResponseError({
       error: "invalid_grant" /* InvalidGrant */,
@@ -1669,13 +1971,20 @@ async function verifyPreAuthorizedCodeAccessTokenRequest(options) {
       );
     }
   }
+  return { dpop: dpopResult, clientAttestation: clientAttestationResult };
+}
+async function verifyAuthorizationCodeAccessTokenRequest(options) {
   if (options.pkce) {
     await verifyAccessTokenRequestPkce(options.pkce, options.callbacks);
   }
-  const dpopResult = options.dpop ? await verifyAccessTokenRequestDpop(options.dpop, options.request, options.callbacks) : null;
-  return { dpopJwk: dpopResult?.dpopJwk };
-}
-async function verifyAuthorizationCodeAccessTokenRequest(options) {
+  const dpopResult = options.dpop ? await verifyAccessTokenRequestDpop(options.dpop, options.request, options.callbacks) : void 0;
+  const clientAttestationResult = options.clientAttestation ? await verifyAccessTokenRequestClientAttestation(
+    options.clientAttestation,
+    options.authorizationServerMetadata,
+    options.callbacks,
+    dpopResult?.jwkThumbprint,
+    options.now
+  ) : void 0;
   if (options.grant.code !== options.expectedCode) {
     throw new Oauth2ServerErrorResponseError({
       error: "invalid_grant" /* InvalidGrant */,
@@ -1696,11 +2005,55 @@ async function verifyAuthorizationCodeAccessTokenRequest(options) {
       );
     }
   }
-  if (options.pkce) {
-    await verifyAccessTokenRequestPkce(options.pkce, options.callbacks);
+  return { dpop: dpopResult, clientAttestation: clientAttestationResult };
+}
+async function verifyAccessTokenRequestClientAttestation(options, authorizationServerMetadata, callbacks, dpopJwkThumbprint, now) {
+  if (!options.clientAttestationJwt || !options.clientAttestationPopJwt) {
+    if (!options.required && !options.clientAttestationJwt && !options.clientAttestationPopJwt) {
+      return void 0;
+    }
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_dpop_proof" /* InvalidDpopProof */,
+      error_description: `Missing required client attestation parameters in access token request. Make sure to provide the '${oauthClientAttestationHeader}' and '${oauthClientAttestationPopHeader}' header values.`
+    });
+  }
+  const verifiedClientAttestation = await verifyClientAttestation({
+    authorizationServer: authorizationServerMetadata.issuer,
+    callbacks,
+    clientAttestationJwt: options.clientAttestationJwt,
+    clientAttestationPopJwt: options.clientAttestationPopJwt,
+    now
+  });
+  if (options.expectedClientId !== verifiedClientAttestation.clientAttestation.payload.sub) {
+    throw new Oauth2ServerErrorResponseError(
+      {
+        error: "invalid_client" /* InvalidClient */,
+        error_description: `The client id '${verifiedClientAttestation.clientAttestation.payload.sub}' in the client attestation does not match the client id for the authorization.`
+      },
+      {
+        status: 401
+      }
+    );
+  }
+  if (options.ensureConfirmationKeyMatchesDpopKey && dpopJwkThumbprint) {
+    const clientAttestationJkt = await calculateJwkThumbprint({
+      hashAlgorithm: "sha-256" /* Sha256 */,
+      hashCallback: callbacks.hash,
+      jwk: verifiedClientAttestation.clientAttestation.payload.cnf.jwk
+    });
+    if (clientAttestationJkt !== dpopJwkThumbprint) {
+      throw new Oauth2ServerErrorResponseError(
+        {
+          error: "invalid_request" /* InvalidRequest */,
+          error_description: "Expected the DPoP JWK thumbprint value to match the JWK thumbprint of the client attestation confirmation JWK. Ensrue both DPoP and client attestation use the same key."
+        },
+        {
+          status: 401
+        }
+      );
+    }
   }
-  const dpopResult = options.dpop ? await verifyAccessTokenRequestDpop(options.dpop, options.request, options.callbacks) : null;
-  return { dpopJwk: dpopResult?.dpopJwk };
+  return verifiedClientAttestation;
 }
 async function verifyAccessTokenRequestDpop(options, request, callbacks) {
   if (options.required && !options.jwt) {
@@ -1709,26 +2062,18 @@ async function verifyAccessTokenRequestDpop(options, request, callbacks) {
       error_description: "Missing required DPoP proof"
     });
   }
-  if (!options.jwt) return null;
-  try {
-    const { header } = await verifyDpopJwt({
-      callbacks,
-      dpopJwt: options.jwt,
-      request,
-      allowedSigningAlgs: options.allowedSigningAlgs
-    });
-    return {
-      dpopJwk: header.jwk
-    };
-  } catch (error) {
-    if (error instanceof Oauth2Error) {
-      throw new Oauth2ServerErrorResponseError({
-        error: "invalid_dpop_proof" /* InvalidDpopProof */,
-        error_description: error.message
-      });
-    }
-    throw error;
-  }
+  if (!options.jwt) return void 0;
+  const { header, jwkThumbprint } = await verifyDpopJwt({
+    callbacks,
+    dpopJwt: options.jwt,
+    request,
+    allowedSigningAlgs: options.allowedSigningAlgs,
+    expectedJwkThumbprint: options.expectedJwkThumbprint
+  });
+  return {
+    jwk: header.jwk,
+    jwkThumbprint
+  };
 }
 async function verifyAccessTokenRequestPkce(options, callbacks) {
   if (options.codeChallenge && !options.codeVerifier) {
@@ -1757,69 +2102,69 @@ async function verifyAccessTokenRequestPkce(options, callbacks) {
 }
 
 // src/authorization-challenge/create-authorization-challenge-response.ts
-import { parseWithErrorHandling as parseWithErrorHandling8 } from "@openid4vc/utils";
+import { parseWithErrorHandling as parseWithErrorHandling10 } from "@openid4vc/utils";
 
 // src/authorization-challenge/z-authorization-challenge.ts
-import { zInteger as zInteger5 } from "@openid4vc/utils";
-import z14 from "zod";
+import { zInteger as zInteger6 } from "@openid4vc/utils";
+import z15 from "zod";
 
 // src/authorization-request/z-authorization-request.ts
-import { zHttpsUrl as zHttpsUrl4 } from "@openid4vc/utils";
-import z13 from "zod";
-var zAuthorizationRequest = z13.object({
-  response_type: z13.string(),
-  client_id: z13.string(),
-  issuer_state: z13.optional(z13.string()),
-  redirect_uri: z13.string().url().optional(),
-  resource: z13.optional(zHttpsUrl4),
-  scope: z13.optional(z13.string()),
+import { zHttpsUrl as zHttpsUrl5 } from "@openid4vc/utils";
+import z14 from "zod";
+var zAuthorizationRequest = z14.object({
+  response_type: z14.string(),
+  client_id: z14.string(),
+  issuer_state: z14.optional(z14.string()),
+  redirect_uri: z14.string().url().optional(),
+  resource: z14.optional(zHttpsUrl5),
+  scope: z14.optional(z14.string()),
   // DPoP jwk thumbprint
-  dpop_jkt: z13.optional(z13.string()),
-  code_challenge: z13.optional(z13.string()),
-  code_challenge_method: z13.optional(z13.string())
+  dpop_jkt: z14.optional(z14.string().base64url()),
+  code_challenge: z14.optional(z14.string()),
+  code_challenge_method: z14.optional(z14.string())
 }).passthrough();
-var zPushedAuthorizationRequest = z13.object({
-  request_uri: z13.string(),
-  client_id: z13.string()
+var zPushedAuthorizationRequest = z14.object({
+  request_uri: z14.string(),
+  client_id: z14.string()
 }).passthrough();
-var zPushedAuthorizationResponse = z13.object({
-  request_uri: z13.string(),
-  expires_in: z13.number().int()
+var zPushedAuthorizationResponse = z14.object({
+  request_uri: z14.string(),
+  expires_in: z14.number().int()
 }).passthrough();
 
 // src/authorization-challenge/z-authorization-challenge.ts
-var zAuthorizationChallengeRequest = z14.object({
+var zAuthorizationChallengeRequest = z15.object({
   // authorization challenge request can include same parameters as an authorization request
   // except for response_type (always `code`), and `client_id` is optional (becase
   // it's possible to do client authentication using different methods)
   ...zAuthorizationRequest.omit({ response_type: true, client_id: true }).shape,
-  client_id: z14.optional(zAuthorizationRequest.shape.client_id),
-  auth_session: z14.optional(z14.string()),
+  client_id: z15.optional(zAuthorizationRequest.shape.client_id),
+  auth_session: z15.optional(z15.string()),
   // DRAFT presentation during issuance
-  presentation_during_issuance_session: z14.optional(z14.string())
+  presentation_during_issuance_session: z15.optional(z15.string())
 }).passthrough();
-var zAuthorizationChallengeResponse = z14.object({
-  authorization_code: z14.string()
+var zAuthorizationChallengeResponse = z15.object({
+  authorization_code: z15.string()
 }).passthrough();
-var zAuthorizationChallengeErrorResponse = z14.object({
+var zAuthorizationChallengeErrorResponse = z15.object({
   ...zOauth2ErrorResponse.shape,
-  auth_session: z14.optional(z14.string()),
-  request_uri: z14.optional(z14.string()),
-  expires_in: z14.optional(zInteger5),
+  auth_session: z15.optional(z15.string()),
+  request_uri: z15.optional(z15.string()),
+  expires_in: z15.optional(zInteger6),
   // DRAFT: presentation during issuance
-  presentation: z14.optional(z14.string())
+  presentation: z15.optional(z15.string())
 }).passthrough();
 
 // src/authorization-challenge/create-authorization-challenge-response.ts
 function createAuthorizationChallengeResponse(options) {
-  const authorizationChallengeResponse = parseWithErrorHandling8(zAuthorizationChallengeResponse, {
+  const authorizationChallengeResponse = parseWithErrorHandling10(zAuthorizationChallengeResponse, {
     ...options.additionalPayload,
     authorization_code: options.authorizationCode
   });
   return { authorizationChallengeResponse };
 }
 function createAuthorizationChallengeErrorResponse(options) {
-  const authorizationChallengeErrorResponse = parseWithErrorHandling8(zAuthorizationChallengeErrorResponse, {
+  const authorizationChallengeErrorResponse = parseWithErrorHandling10(zAuthorizationChallengeErrorResponse, {
     ...options.additionalPayload,
     // General FiPA
     error: options.error,
@@ -1835,203 +2180,220 @@ function createAuthorizationChallengeErrorResponse(options) {
 }
 
 // src/authorization-challenge/parse-authorization-challenge-request.ts
-import { parseWithErrorHandling as parseWithErrorHandling9 } from "@openid4vc/utils";
+import { formatZodError as formatZodError3 } from "@openid4vc/utils";
+
+// src/authorization-request/parse-authorization-request.ts
+function parseAuthorizationRequest(options) {
+  const extractedDpopJwt = extractDpopJwtFromHeaders(options.request.headers);
+  if (!extractedDpopJwt.valid) {
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_dpop_proof" /* InvalidDpopProof */,
+      error_description: `Request contains a 'DPoP' header, but the value is not a valid DPoP jwt`
+    });
+  }
+  const extractedClientAttestationJwts = extractClientAttestationJwtsFromHeaders(options.request.headers);
+  if (!extractedClientAttestationJwts.valid) {
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_client" /* InvalidClient */,
+      error_description: "Request contains client attestation header, but the values are not valid client attestation and client attestation PoP header."
+    });
+  }
+  return {
+    dpop: extractedDpopJwt.dpopJwt ? {
+      jwt: extractedDpopJwt.dpopJwt,
+      jwkThumbprint: options.authorizationRequest.dpop_jkt
+    } : (
+      // Basically the same as above, but with correct TS type hinting
+      options.authorizationRequest.dpop_jkt ? {
+        jwt: extractedDpopJwt.dpopJwt,
+        jwkThumbprint: options.authorizationRequest.dpop_jkt
+      } : void 0
+    ),
+    clientAttestation: extractedClientAttestationJwts.clientAttestationHeader ? {
+      clientAttestationJwt: extractedClientAttestationJwts.clientAttestationHeader,
+      clientAttestationPopJwt: extractedClientAttestationJwts.clientAttestationPopHeader
+    } : void 0
+  };
+}
+
+// src/authorization-challenge/parse-authorization-challenge-request.ts
 function parseAuthorizationChallengeRequest(options) {
-  const authorizationChallengeRequest = parseWithErrorHandling9(
-    zAuthorizationChallengeRequest,
+  const parsedAuthorizationChallengeRequest = zAuthorizationChallengeRequest.safeParse(
     options.authorizationChallengeRequest
   );
-  return { authorizationChallengeRequest };
+  if (!parsedAuthorizationChallengeRequest.success) {
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_request" /* InvalidRequest */,
+      error_description: `Error occured during validation of authorization challenge request.
+${formatZodError3(parsedAuthorizationChallengeRequest.error)}`
+    });
+  }
+  const authorizationChallengeRequest = parsedAuthorizationChallengeRequest.data;
+  const { clientAttestation, dpop } = parseAuthorizationRequest({
+    authorizationRequest: authorizationChallengeRequest,
+    request: options.request
+  });
+  return {
+    authorizationChallengeRequest: parsedAuthorizationChallengeRequest.data,
+    dpop,
+    clientAttestation
+  };
 }
 
-// src/client-attestation/clent-attestation.ts
-import { dateToSeconds as dateToSeconds4, parseWithErrorHandling as parseWithErrorHandling10 } from "@openid4vc/utils";
-
-// src/client-attestation/z-client-attestation.ts
-import { zHttpsUrl as zHttpsUrl5, zInteger as zInteger6 } from "@openid4vc/utils";
-import z15 from "zod";
-var zOauthClientAttestationHeader = z15.literal("OAuth-Client-Attestation");
-var oauthClientAttestationHeader = zOauthClientAttestationHeader.value;
-var zClientAttestationJwtPayload = z15.object({
-  ...zJwtPayload.shape,
-  iss: z15.string(),
-  sub: z15.string(),
-  exp: zInteger6,
-  cnf: z15.object({
-    jwk: zJwk,
-    key_type: z15.optional(
-      z15.union([
-        z15.enum(["software", "hardware", "tee", "secure_enclave", "strong_box", "secure_element", "hsm"]),
-        z15.string()
-      ])
-    ),
-    user_authentication: z15.optional(
-      z15.union([
-        z15.enum(["system_biometry", "system_pin", "internal_biometry", "internal_pin", "secure_element_pin"]),
-        z15.string()
-      ])
-    )
-  }).passthrough(),
-  aal: z15.optional(z15.string())
-}).passthrough();
-var zClientAttestationJwtHeader = z15.object({
-  ...zJwtHeader.shape,
-  typ: z15.literal("oauth-client-attestation+jwt")
-}).passthrough();
-var zOauthClientAttestationPopHeader = z15.literal("OAuth-Client-Attestation-PoP");
-var oauthClientAttestationPopHeader = zOauthClientAttestationPopHeader.value;
-var zClientAttestationPopJwtPayload = z15.object({
-  ...zJwtPayload.shape,
-  iss: z15.string(),
-  exp: zInteger6,
-  aud: zHttpsUrl5,
-  jti: z15.string(),
-  nonce: z15.optional(z15.string())
-}).passthrough();
-var zClientAttestationPopJwtHeader = z15.object({
-  ...zJwtHeader.shape,
-  typ: z15.literal("oauth-client-attestation-pop+jwt")
-}).passthrough();
-
-// src/client-attestation/clent-attestation.ts
-async function verifyClientAttestationJwt(options) {
-  const { header, payload } = decodeJwt({
-    jwt: options.clientAttestationJwt,
-    headerSchema: zClientAttestationJwtHeader,
-    payloadSchema: zClientAttestationJwtPayload
-  });
-  const { signer } = await verifyJwt({
-    signer: jwtSignerFromJwt({ header, payload }),
-    now: options.now,
-    header,
-    payload,
-    compact: options.clientAttestationJwt,
-    verifyJwtCallback: options.callbacks.verifyJwt,
-    errorMessage: "client attestation jwt verification failed"
-  });
+// src/authorization-request/verify-authorization-request.ts
+async function verifyAuthorizationRequest(options) {
+  const dpopResult = options.dpop ? await verifyAuthorizationRequestDpop(options.dpop, options.request, options.callbacks, options.now) : void 0;
+  const clientAttestationResult = options.clientAttestation ? await verifyAuthorizationRequestClientAttestation(
+    options.clientAttestation,
+    options.authorizationServerMetadata,
+    options.callbacks,
+    dpopResult?.jwkThumbprint,
+    options.now,
+    options.authorizationRequest.client_id
+  ) : void 0;
   return {
-    header,
-    payload,
-    signer
+    dpop: dpopResult?.jwkThumbprint ? {
+      jwkThumbprint: dpopResult.jwkThumbprint,
+      jwk: dpopResult.jwk
+    } : void 0,
+    clientAttestation: clientAttestationResult
   };
 }
-async function createClientAttestationJwt(options) {
-  const header = parseWithErrorHandling10(zClientAttestationJwtHeader, {
-    typ: "oauth-client-attestation+jwt",
-    ...jwtHeaderFromJwtSigner(options.signer)
-  });
-  const payload = parseWithErrorHandling10(zClientAttestationJwtPayload, {
-    iss: options.issuer,
-    iat: dateToSeconds4(options.issuedAt),
-    exp: dateToSeconds4(options.expiresAt),
-    sub: options.clientId,
-    cnf: options.confirmation,
-    ...options.additionalPayload
-  });
-  const { jwt } = await options.callbacks.signJwt(options.signer, {
-    header,
-    payload
+async function verifyAuthorizationRequestClientAttestation(options, authorizationServerMetadata, callbacks, dpopJwkThumbprint, now, requestClientId) {
+  if (!options.clientAttestationJwt || !options.clientAttestationPopJwt) {
+    if (!options.required && !options.clientAttestationJwt && !options.clientAttestationPopJwt) {
+      return void 0;
+    }
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_dpop_proof" /* InvalidDpopProof */,
+      error_description: `Missing required client attestation parameters in pushed authorization request. Make sure to provide the '${oauthClientAttestationHeader}' and '${oauthClientAttestationPopHeader}' header values.`
+    });
+  }
+  const verifiedClientAttestation = await verifyClientAttestation({
+    authorizationServer: authorizationServerMetadata.issuer,
+    callbacks,
+    clientAttestationJwt: options.clientAttestationJwt,
+    clientAttestationPopJwt: options.clientAttestationPopJwt,
+    now
   });
-  return jwt;
+  if (requestClientId && requestClientId !== verifiedClientAttestation.clientAttestation.payload.sub) {
+    throw new Oauth2ServerErrorResponseError(
+      {
+        error: "invalid_client" /* InvalidClient */,
+        error_description: `The client_id '${requestClientId}' in the request does not match the client id '${verifiedClientAttestation.clientAttestation.payload.sub}' in the client attestation`
+      },
+      {
+        status: 401
+      }
+    );
+  }
+  if (options.ensureConfirmationKeyMatchesDpopKey && dpopJwkThumbprint) {
+    const clientAttestationJkt = await calculateJwkThumbprint({
+      hashAlgorithm: "sha-256" /* Sha256 */,
+      hashCallback: callbacks.hash,
+      jwk: verifiedClientAttestation.clientAttestation.payload.cnf.jwk
+    });
+    if (clientAttestationJkt !== dpopJwkThumbprint) {
+      throw new Oauth2ServerErrorResponseError(
+        {
+          error: "invalid_request" /* InvalidRequest */,
+          error_description: "Expected the DPoP JWK thumbprint value to match the JWK thumbprint of the client attestation confirmation JWK. Ensrue both DPoP and client attestation use the same key."
+        },
+        {
+          status: 401
+        }
+      );
+    }
+  }
+  return verifiedClientAttestation;
 }
-function extractClientAttestationJwtsFromHeaders(headers) {
-  const clientAttestationHeader = headers.get(oauthClientAttestationHeader);
-  const clientAttestationPopHeader = headers.get(oauthClientAttestationPopHeader);
-  if (!clientAttestationHeader || clientAttestationHeader.includes(",")) {
-    throw new Oauth2Error(`Missing or invalid '${oauthClientAttestationHeader}' header.`);
+async function verifyAuthorizationRequestDpop(options, request, callbacks, now) {
+  if (options.required && !options.jwt && !options.jwkThumbprint) {
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_dpop_proof" /* InvalidDpopProof */,
+      error_description: `Missing required DPoP parameters in authorization request. Either DPoP header or 'dpop_jkt' is required.`
+    });
   }
-  if (!clientAttestationPopHeader || clientAttestationPopHeader.includes(",")) {
-    throw new Oauth2Error(`Missing or invalid '${oauthClientAttestationPopHeader}' header.`);
+  const verifyDpopResult = options.jwt ? await verifyDpopJwt({
+    callbacks,
+    dpopJwt: options.jwt,
+    request,
+    allowedSigningAlgs: options.allowedSigningAlgs,
+    now
+  }) : void 0;
+  if (options.jwkThumbprint && verifyDpopResult && options.jwkThumbprint !== verifyDpopResult.jwkThumbprint) {
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_dpop_proof" /* InvalidDpopProof */,
+      error_description: `DPoP jwk thumbprint does not match with 'dpop_jkt' provided in authorization request`
+    });
   }
   return {
-    clientAttestationPopHeader,
-    clientAttestationHeader
+    jwk: verifyDpopResult?.header.jwk,
+    jwkThumbprint: verifyDpopResult?.jwkThumbprint ?? options.jwkThumbprint
   };
 }
 
-// src/client-attestation/client-attestation-pop.ts
-import { addSecondsToDate as addSecondsToDate2, dateToSeconds as dateToSeconds5, encodeToBase64Url as encodeToBase64Url6, parseWithErrorHandling as parseWithErrorHandling11 } from "@openid4vc/utils";
-async function createClientAttestationForRequest(options) {
-  const clientAttestationPopJwt = await createClientAttestationPopJwt({
-    authorizationServer: options.authorizationServer,
-    clientAttestation: options.clientAttestation.jwt,
-    callbacks: options.callbacks,
-    expiresAt: options.clientAttestation.expiresAt,
-    signer: options.clientAttestation.signer,
-    nonce: options.clientAttestation.nonce
+// src/authorization-challenge/verify-authorization-challenge-request.ts
+async function verifyAuthorizationChallengeRequest(options) {
+  const { clientAttestation, dpop } = await verifyAuthorizationRequest({
+    ...options,
+    authorizationRequest: options.authorizationChallengeRequest
   });
   return {
-    headers: {
-      [oauthClientAttestationHeader]: options.clientAttestation.jwt,
-      [oauthClientAttestationPopHeader]: clientAttestationPopJwt
-    },
-    body: options.clientAttestation.includeLegacyDraft2ClientAssertion ? {
-      client_assertion: `${options.clientAttestation.jwt}~${clientAttestationPopJwt}`,
-      client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation"
-    } : void 0
+    dpop,
+    clientAttestation
   };
 }
-async function verifyClientAttestationPopJwt(options) {
-  const { header, payload } = decodeJwt({
-    jwt: options.clientAttestationPopJwt,
-    headerSchema: zClientAttestationPopJwtHeader,
-    payloadSchema: zClientAttestationPopJwtPayload
+
+// src/authorization-request/create-pushed-authorization-response.ts
+import { parseWithErrorHandling as parseWithErrorHandling11 } from "@openid4vc/utils";
+function createPushedAuthorizationResponse(options) {
+  const pushedAuthorizationResponse = parseWithErrorHandling11(zPushedAuthorizationResponse, {
+    ...options.additionalPayload,
+    expires_in: options.expiresInSeconds,
+    request_uri: options.requestUri
   });
-  if (payload.iss !== options.clientAttestation.payload.sub) {
-    throw new Oauth2Error(
-      `Client Attestation Pop jwt contains 'iss' (client_id) value '${payload.iss}', but expected 'sub' value from client attestation '${options.clientAttestation.payload.sub}'`
-    );
-  }
-  if (payload.aud !== options.authorizationServer) {
-    throw new Oauth2Error(
-      `Client Attestation Pop jwt contains 'aud' value '${payload.aud}', but expected authorization server identifier '${options.authorizationServer}'`
-    );
+  return { pushedAuthorizationResponse };
+}
+function createPushedAuthorizationErrorResponse(options) {
+  const pushedAuthorizationErrorResponse = parseWithErrorHandling11(zAccessTokenErrorResponse, {
+    ...options.additionalPayload,
+    error: options.error,
+    error_description: options.errorDescription
+  });
+  return pushedAuthorizationErrorResponse;
+}
+
+// src/authorization-request/parse-pushed-authorization-request.ts
+import { formatZodError as formatZodError4 } from "@openid4vc/utils";
+function parsePushedAuthorizationRequest(options) {
+  const parsedAuthorizationRequest = zAuthorizationRequest.safeParse(options.authorizationRequest);
+  if (!parsedAuthorizationRequest.success) {
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_request" /* InvalidRequest */,
+      error_description: `Error occured during validation of pushed authorization request.
+${formatZodError4(parsedAuthorizationRequest.error)}`
+    });
   }
-  const { signer } = await verifyJwt({
-    signer: {
-      alg: header.alg,
-      method: "jwk",
-      publicJwk: options.clientAttestation.payload.cnf.jwk
-    },
-    now: options.now,
-    header,
-    expectedNonce: options.expectedNonce,
-    payload,
-    compact: options.clientAttestationPopJwt,
-    verifyJwtCallback: options.callbacks.verifyJwt,
-    errorMessage: "client attestation pop jwt verification failed"
+  const authorizationRequest = parsedAuthorizationRequest.data;
+  const { clientAttestation, dpop } = parseAuthorizationRequest({
+    authorizationRequest,
+    request: options.request
   });
   return {
-    header,
-    payload,
-    signer
+    authorizationRequest,
+    dpop,
+    clientAttestation
   };
 }
-async function createClientAttestationPopJwt(options) {
-  const header = parseWithErrorHandling11(zClientAttestationPopJwtHeader, {
-    typ: "oauth-client-attestation-pop+jwt",
-    alg: options.signer.alg
-  });
-  const clientAttestation = decodeJwt({
-    jwt: options.clientAttestation,
-    headerSchema: zClientAttestationJwtHeader,
-    payloadSchema: zClientAttestationJwtPayload
-  });
-  const expiresAt = options.expiresAt ?? addSecondsToDate2(options.issuedAt ?? /* @__PURE__ */ new Date(), 1 * 60);
-  const payload = parseWithErrorHandling11(zClientAttestationPopJwtPayload, {
-    aud: options.authorizationServer,
-    iss: clientAttestation.payload.sub,
-    iat: dateToSeconds5(options.issuedAt),
-    exp: dateToSeconds5(expiresAt),
-    jti: encodeToBase64Url6(await options.callbacks.generateRandom(32)),
-    nonce: options.nonce,
-    ...options.additionalPayload
-  });
-  const { jwt } = await options.callbacks.signJwt(options.signer, {
-    header,
-    payload
-  });
-  return jwt;
+
+// src/authorization-request/verify-pushed-authorization-request.ts
+async function verifyPushedAuthorizationRequest(options) {
+  const { clientAttestation, dpop } = await verifyAuthorizationRequest(options);
+  return {
+    dpop,
+    clientAttestation
+  };
 }
 
 // src/Oauth2AuthorizationServer.ts
@@ -2085,7 +2447,7 @@ var Oauth2AuthorizationServer = class {
       scope: options.scope,
       clientId: options.clientId,
       signer: options.signer,
-      dpopJwk: options.dpopJwk,
+      dpop: options.dpop,
       now: options.now,
       additionalPayload: options.additionalAccessTokenPayload
     });
@@ -2093,23 +2455,47 @@ var Oauth2AuthorizationServer = class {
       accessToken,
       callbacks: this.options.callbacks,
       expiresInSeconds: options.expiresInSeconds,
-      tokenType: options.dpopJwk ? "DPoP" : "Bearer",
+      tokenType: options.dpop ? "DPoP" : "Bearer",
       cNonce: options.cNonce,
       cNonceExpiresIn: options.cNonceExpiresIn,
       additionalPayload: options.additionalAccessTokenResponsePayload
     });
   }
+  /**
+   * Parse a pushed authorization request
+   */
+  parsePushedAuthorizationRequest(options) {
+    return parsePushedAuthorizationRequest(options);
+  }
+  verifyPushedAuthorizationRequest(options) {
+    return verifyPushedAuthorizationRequest({
+      ...options,
+      callbacks: this.options.callbacks
+    });
+  }
+  createPushedAuthorizationResponse(options) {
+    return createPushedAuthorizationResponse(options);
+  }
+  createPushedAuthorizationErrorResponse(options) {
+    return createPushedAuthorizationErrorResponse(options);
+  }
   /**
    * Parse an authorization challenge request
    */
   parseAuthorizationChallengeRequest(options) {
     return parseAuthorizationChallengeRequest(options);
   }
+  verifyAuthorizationChallengeRequest(options) {
+    return verifyAuthorizationChallengeRequest({
+      ...options,
+      callbacks: this.options.callbacks
+    });
+  }
   createAuthorizationChallengeResponse(options) {
     return createAuthorizationChallengeResponse(options);
   }
   /**
-   * Create an authorization challenge error response indicating presentation of credenitals
+   * Create an authorization challenge error response indicating presentation of credentials
    * using OpenID4VP is required before authorization can be granted.
    *
    * The `presentation` parameter should be an OpenID4VP authorization request url.
@@ -2127,25 +2513,17 @@ var Oauth2AuthorizationServer = class {
   createAuthorizationChallengeErrorResponse(options) {
     return createAuthorizationChallengeErrorResponse(options);
   }
-  async verifyClientAttestation({
-    authorizationServer,
-    headers
-  }) {
-    const { clientAttestationHeader, clientAttestationPopHeader } = extractClientAttestationJwtsFromHeaders(headers);
-    const clientAttestation = await verifyClientAttestationJwt({
-      callbacks: this.options.callbacks,
-      clientAttestationJwt: clientAttestationHeader
+  async verifyDpopJwt(options) {
+    return verifyDpopJwt({
+      ...options,
+      callbacks: this.options.callbacks
     });
-    const clientAttestationPop = await verifyClientAttestationPopJwt({
-      callbacks: this.options.callbacks,
-      authorizationServer,
-      clientAttestation,
-      clientAttestationPopJwt: clientAttestationPopHeader
+  }
+  async verifyClientAttestation(options) {
+    return verifyClientAttestation({
+      ...options,
+      callbacks: this.options.callbacks
     });
-    return {
-      clientAttestation,
-      clientAttestationPop
-    };
   }
 };
 
@@ -2153,7 +2531,7 @@ var Oauth2AuthorizationServer = class {
 import { objectToQueryParams as objectToQueryParams5 } from "@openid4vc/utils";
 
 // src/access-token/retrieve-access-token.ts
-import { ContentType as ContentType4, createZodFetcher as createZodFetcher4, objectToQueryParams as objectToQueryParams2, parseWithErrorHandling as parseWithErrorHandling13 } from "@openid4vc/utils";
+import { ContentType as ContentType4, Headers as Headers2, createZodFetcher as createZodFetcher4, objectToQueryParams as objectToQueryParams2, parseWithErrorHandling as parseWithErrorHandling13 } from "@openid4vc/utils";
 import { InvalidFetchResponseError as InvalidFetchResponseError4 } from "@openid4vc/utils";
 async function retrievePreAuthorizedCodeAccessToken(options) {
   const request = {
@@ -2168,8 +2546,7 @@ async function retrievePreAuthorizedCodeAccessToken(options) {
     request,
     dpop: options.dpop,
     callbacks: options.callbacks,
-    resource: options.resource,
-    clientAttestation: options.clientAttestation
+    resource: options.resource
   });
 }
 async function retrieveAuthorizationCodeAccessToken(options) {
@@ -2186,8 +2563,7 @@ async function retrieveAuthorizationCodeAccessToken(options) {
     request,
     dpop: options.dpop,
     resource: options.resource,
-    callbacks: options.callbacks,
-    clientAttestation: options.clientAttestation
+    callbacks: options.callbacks
   });
 }
 async function retrieveRefreshTokenAccessToken(options) {
@@ -2202,8 +2578,7 @@ async function retrieveRefreshTokenAccessToken(options) {
     request,
     dpop: options.dpop,
     callbacks: options.callbacks,
-    resource: options.resource,
-    clientAttestation: options.clientAttestation
+    resource: options.resource
   });
 }
 async function retrieveAccessToken(options) {
@@ -2216,11 +2591,6 @@ async function retrieveAccessToken(options) {
   if (accessTokenRequest.tx_code) {
     accessTokenRequest.user_pin = accessTokenRequest.tx_code;
   }
-  const clientAttestation = options.clientAttestation ? await createClientAttestationForRequest({
-    authorizationServer: options.authorizationServerMetadata.issuer,
-    clientAttestation: options.clientAttestation,
-    callbacks: options.callbacks
-  }) : void 0;
   return await authorizationServerRequestWithDpopRetry({
     dpop: options.dpop,
     request: async (dpop) => {
@@ -2233,22 +2603,26 @@ async function retrieveAccessToken(options) {
         callbacks: options.callbacks,
         nonce: dpop.nonce
       }) : void 0;
-      const requestQueryParams = objectToQueryParams2({
-        ...accessTokenRequest,
-        ...clientAttestation?.body
+      const headers = new Headers2({
+        "Content-Type": ContentType4.XWwwFormUrlencoded,
+        ...dpopHeaders
+      });
+      await options.callbacks.clientAuthentication({
+        url: options.authorizationServerMetadata.token_endpoint,
+        method: "POST",
+        authorizationServerMetadata: options.authorizationServerMetadata,
+        body: accessTokenRequest,
+        contentType: ContentType4.XWwwFormUrlencoded,
+        headers
       });
       const { response, result } = await fetchWithZod(
         zAccessTokenResponse,
         ContentType4.Json,
         options.authorizationServerMetadata.token_endpoint,
         {
-          body: requestQueryParams.toString(),
+          body: objectToQueryParams2(accessTokenRequest).toString(),
           method: "POST",
-          headers: {
-            "Content-Type": ContentType4.XWwwFormUrlencoded,
-            ...clientAttestation?.headers,
-            ...dpopHeaders
-          }
+          headers
         }
       );
       if (!response.ok || !result) {
@@ -2286,6 +2660,7 @@ async function retrieveAccessToken(options) {
 // src/authorization-challenge/send-authorization-challenge.ts
 import {
   ContentType as ContentType5,
+  Headers as Headers3,
   ValidationError as ValidationError3,
   createZodFetcher as createZodFetcher5,
   objectToQueryParams as objectToQueryParams3,
@@ -2306,21 +2681,14 @@ async function sendAuthorizationChallengeRequest(options) {
     callbacks: options.callbacks,
     codeVerifier: options.pkceCodeVerifier
   }) : void 0;
-  const clientAttestation = options.clientAttestation ? await createClientAttestationForRequest({
-    authorizationServer: options.authorizationServerMetadata.issuer,
-    clientAttestation: options.clientAttestation,
-    callbacks: options.callbacks
-  }) : void 0;
   const authorizationChallengeRequest = parseWithErrorHandling14(zAuthorizationChallengeRequest, {
     ...options.additionalRequestPayload,
     auth_session: options.authSession,
-    client_id: options.clientId,
     scope: options.scope,
     resource: options.resource,
     code_challenge: pkce?.codeChallenge,
     code_challenge_method: pkce?.codeChallengeMethod,
-    presentation_during_issuance_session: options.presentationDuringIssuanceSession,
-    ...clientAttestation?.body
+    presentation_during_issuance_session: options.presentationDuringIssuanceSession
   });
   return authorizationServerRequestWithDpopRetry({
     dpop: options.dpop,
@@ -2334,6 +2702,18 @@ async function sendAuthorizationChallengeRequest(options) {
         callbacks: options.callbacks,
         nonce: dpop.nonce
       }) : void 0;
+      const headers = new Headers3({
+        ...dpopHeaders,
+        "Content-Type": ContentType5.XWwwFormUrlencoded
+      });
+      await options.callbacks.clientAuthentication({
+        url: authorizationChallengeEndpoint,
+        method: "POST",
+        authorizationServerMetadata: options.authorizationServerMetadata,
+        body: authorizationChallengeRequest,
+        contentType: ContentType5.XWwwFormUrlencoded,
+        headers
+      });
       const { response, result } = await fetchWithZod(
         zAuthorizationChallengeResponse,
         ContentType5.Json,
@@ -2341,11 +2721,7 @@ async function sendAuthorizationChallengeRequest(options) {
         {
           method: "POST",
           body: objectToQueryParams3(authorizationChallengeRequest).toString(),
-          headers: {
-            ...clientAttestation?.headers,
-            ...dpopHeaders,
-            "Content-Type": ContentType5.XWwwFormUrlencoded
-          }
+          headers
         }
       );
       if (!response.ok || !result) {
@@ -2382,7 +2758,7 @@ async function sendAuthorizationChallengeRequest(options) {
 }
 
 // src/authorization-request/create-authorization-request.ts
-import { ContentType as ContentType6, createZodFetcher as createZodFetcher6, objectToQueryParams as objectToQueryParams4 } from "@openid4vc/utils";
+import { ContentType as ContentType6, Headers as Headers4, createZodFetcher as createZodFetcher6, objectToQueryParams as objectToQueryParams4 } from "@openid4vc/utils";
 import { InvalidFetchResponseError as InvalidFetchResponseError6 } from "@openid4vc/utils";
 async function createAuthorizationRequestUrl(options) {
   const authorizationServerMetadata = options.authorizationServerMetadata;
@@ -2415,11 +2791,6 @@ async function createAuthorizationRequestUrl(options) {
         `Authorization server '${authorizationServerMetadata.issuer}' indicated that pushed authorization requests are required, but the 'pushed_authorization_request_endpoint' is missing in the authorization server metadata.`
       );
     }
-    const clientAttestation = options.clientAttestation ? await createClientAttestationForRequest({
-      authorizationServer: options.authorizationServerMetadata.issuer,
-      clientAttestation: options.clientAttestation,
-      callbacks: options.callbacks
-    }) : void 0;
     const { pushedAuthorizationResponse, dpopNonce } = await authorizationServerRequestWithDpopRetry({
       dpop: options.dpop,
       request: async (dpop2) => {
@@ -2433,16 +2804,11 @@ async function createAuthorizationRequestUrl(options) {
           nonce: dpop2.nonce
         }) : void 0;
         return await pushAuthorizationRequest({
-          authorizationRequest: {
-            ...authorizationRequest,
-            ...clientAttestation?.headers
-          },
+          authorizationServerMetadata,
+          authorizationRequest,
           pushedAuthorizationRequestEndpoint,
-          fetch: options.callbacks.fetch,
-          headers: {
-            ...clientAttestation?.headers,
-            ...dpopHeaders
-          }
+          callbacks: options.callbacks,
+          headers: dpopHeaders
         });
       }
     });
@@ -2473,12 +2839,24 @@ async function createAuthorizationRequestUrl(options) {
   };
 }
 async function pushAuthorizationRequest(options) {
-  const fetchWithZod = createZodFetcher6(options.fetch);
+  const fetchWithZod = createZodFetcher6(options.callbacks.fetch);
   if (options.authorizationRequest.request_uri) {
     throw new Oauth2Error(
       `Authorization request contains 'request_uri' parameter. This is not allowed for pushed authorization reuqests.`
     );
   }
+  const headers = new Headers4({
+    ...options.headers,
+    "Content-Type": ContentType6.XWwwFormUrlencoded
+  });
+  await options.callbacks.clientAuthentication({
+    url: options.pushedAuthorizationRequestEndpoint,
+    method: "POST",
+    authorizationServerMetadata: options.authorizationServerMetadata,
+    body: options.authorizationRequest,
+    contentType: ContentType6.XWwwFormUrlencoded,
+    headers
+  });
   const { response, result } = await fetchWithZod(
     zPushedAuthorizationResponse,
     ContentType6.Json,
@@ -2486,10 +2864,7 @@ async function pushAuthorizationRequest(options) {
     {
       method: "POST",
       body: objectToQueryParams4(options.authorizationRequest).toString(),
-      headers: {
-        ...options.headers,
-        "Content-Type": ContentType6.XWwwFormUrlencoded
-      }
+      headers
     }
   );
   if (!response.ok || !result) {
@@ -2524,6 +2899,8 @@ var Oauth2Client = class {
   constructor(options) {
     this.options = options;
   }
+  // TODO: add options to provide client metadata / algs supported by the client
+  // so we can find the commonly supported algs and make it easier
   isDpopSupported(options) {
     if (!options.authorizationServerMetadata.dpop_signing_alg_values_supported || options.authorizationServerMetadata.dpop_signing_alg_values_supported.length === 0) {
       return {
@@ -2535,6 +2912,18 @@ var Oauth2Client = class {
       dpopSigningAlgValuesSupported: options.authorizationServerMetadata.dpop_signing_alg_values_supported
     };
   }
+  isClientAttestationSupported(options) {
+    if (!options.authorizationServerMetadata.token_endpoint_auth_methods_supported || !options.authorizationServerMetadata.token_endpoint_auth_methods_supported.includes(
+      "attest_jwt_client_auth" /* ClientAttestationJwt */
+    )) {
+      return {
+        supported: false
+      };
+    }
+    return {
+      supported: true
+    };
+  }
   async fetchAuthorizationServerMetadata(issuer) {
     return fetchAuthorizationServerMetadata(issuer, this.options.callbacks.fetch);
   }
@@ -2562,11 +2951,9 @@ var Oauth2Client = class {
         await this.sendAuthorizationChallengeRequest({
           authorizationServerMetadata: options.authorizationServerMetadata,
           additionalRequestPayload: options.additionalRequestPayload,
-          clientId: options.clientId,
           pkceCodeVerifier: pkce?.codeVerifier,
           scope: options.scope,
           resource: options.resource,
-          clientAttestation: options.clientAttestation,
           dpop: options.dpop
         });
       } catch (error) {
@@ -2599,7 +2986,6 @@ var Oauth2Client = class {
       scope: options.scope,
       pkceCodeVerifier: pkce?.codeVerifier,
       resource: options.resource,
-      clientAttestation: options.clientAttestation,
       dpop: options.dpop
     });
   }
@@ -2619,7 +3005,6 @@ var Oauth2Client = class {
       scope: options.scope,
       callbacks: this.options.callbacks,
       pkceCodeVerifier: options.pkceCodeVerifier,
-      clientAttestation: options.clientAttestation,
       dpop: options.dpop
     });
   }
@@ -2629,8 +3014,7 @@ var Oauth2Client = class {
     additionalRequestPayload,
     txCode,
     dpop,
-    resource,
-    clientAttestation
+    resource
   }) {
     const result = await retrievePreAuthorizedCodeAccessToken({
       authorizationServerMetadata,
@@ -2642,8 +3026,7 @@ var Oauth2Client = class {
         tx_code: txCode
       },
       callbacks: this.options.callbacks,
-      dpop,
-      clientAttestation
+      dpop
     });
     return result;
   }
@@ -2654,8 +3037,7 @@ var Oauth2Client = class {
     pkceCodeVerifier,
     redirectUri,
     resource,
-    dpop,
-    clientAttestation
+    dpop
   }) {
     const result = await retrieveAuthorizationCodeAccessToken({
       authorizationServerMetadata,
@@ -2665,8 +3047,7 @@ var Oauth2Client = class {
       resource,
       callbacks: this.options.callbacks,
       dpop,
-      redirectUri,
-      clientAttestation
+      redirectUri
     });
     return result;
   }
@@ -2675,8 +3056,7 @@ var Oauth2Client = class {
     additionalRequestPayload,
     refreshToken,
     resource,
-    dpop,
-    clientAttestation
+    dpop
   }) {
     const result = await retrieveRefreshTokenAccessToken({
       authorizationServerMetadata,
@@ -2684,23 +3064,13 @@ var Oauth2Client = class {
       additionalRequestPayload,
       resource,
       callbacks: this.options.callbacks,
-      dpop,
-      clientAttestation
+      dpop
     });
     return result;
   }
   async resourceRequest(options) {
     return resourceRequest(options);
   }
-  /**
-   * @todo move this to another class?
-   */
-  async createClientAttestationJwt(options) {
-    return await createClientAttestationJwt({
-      callbacks: this.options.callbacks,
-      ...options
-    });
-  }
 };
 
 // src/Oauth2ResourceServer.ts
@@ -2731,12 +3101,16 @@ export {
   Oauth2ServerErrorResponseError,
   PkceCodeChallengeMethod,
   SupportedAuthenticationScheme,
+  SupportedClientAuthenticationMethod,
   authorizationCodeGrantIdentifier,
   calculateJwkThumbprint,
+  clientAuthenticationAnonymous,
+  clientAuthenticationClientAttestationJwt,
   clientAuthenticationClientSecretBasic,
   clientAuthenticationClientSecretPost,
   clientAuthenticationDynamic,
   clientAuthenticationNone,
+  createClientAttestationJwt,
   decodeJwt,
   decodeJwtHeader,
   fetchAuthorizationServerMetadata,