@openid4vc/oauth2 0.3.0-alpha-20250324183425 → 0.3.0-alpha-20250328112257

package/dist/index.js

@@ -31,7 +31,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var src_exports = {};
 __export(src_exports, {
   HashAlgorithm: () => HashAlgorithm,
-  InvalidFetchResponseError: () => import_utils43.InvalidFetchResponseError,
+  InvalidFetchResponseError: () => import_utils46.InvalidFetchResponseError,
   Oauth2AuthorizationServer: () => Oauth2AuthorizationServer,
   Oauth2Client: () => Oauth2Client,
   Oauth2ClientAuthorizationChallengeError: () => Oauth2ClientAuthorizationChallengeError,
@@ -45,26 +45,30 @@ __export(src_exports, {
   Oauth2ServerErrorResponseError: () => Oauth2ServerErrorResponseError,
   PkceCodeChallengeMethod: () => PkceCodeChallengeMethod,
   SupportedAuthenticationScheme: () => SupportedAuthenticationScheme,
+  SupportedClientAuthenticationMethod: () => SupportedClientAuthenticationMethod,
   authorizationCodeGrantIdentifier: () => authorizationCodeGrantIdentifier,
   calculateJwkThumbprint: () => calculateJwkThumbprint,
+  clientAuthenticationAnonymous: () => clientAuthenticationAnonymous,
+  clientAuthenticationClientAttestationJwt: () => clientAuthenticationClientAttestationJwt,
   clientAuthenticationClientSecretBasic: () => clientAuthenticationClientSecretBasic,
   clientAuthenticationClientSecretPost: () => clientAuthenticationClientSecretPost,
   clientAuthenticationDynamic: () => clientAuthenticationDynamic,
   clientAuthenticationNone: () => clientAuthenticationNone,
+  createClientAttestationJwt: () => createClientAttestationJwt,
   decodeJwt: () => decodeJwt,
   decodeJwtHeader: () => decodeJwtHeader,
   fetchAuthorizationServerMetadata: () => fetchAuthorizationServerMetadata,
   fetchJwks: () => fetchJwks,
   fetchWellKnownMetadata: () => fetchWellKnownMetadata,
   getAuthorizationServerMetadataFromList: () => getAuthorizationServerMetadataFromList,
-  getGlobalConfig: () => import_utils42.getGlobalConfig,
+  getGlobalConfig: () => import_utils45.getGlobalConfig,
   isJwkInSet: () => isJwkInSet,
   jwtHeaderFromJwtSigner: () => jwtHeaderFromJwtSigner,
   jwtSignerFromJwt: () => jwtSignerFromJwt,
   preAuthorizedCodeGrantIdentifier: () => preAuthorizedCodeGrantIdentifier,
   refreshTokenGrantIdentifier: () => refreshTokenGrantIdentifier,
   resourceRequest: () => resourceRequest,
-  setGlobalConfig: () => import_utils42.setGlobalConfig,
+  setGlobalConfig: () => import_utils45.setGlobalConfig,
   verifyJwt: () => verifyJwt,
   verifyResourceRequest: () => verifyResourceRequest,
   zAlgValueNotNone: () => zAlgValueNotNone,
@@ -81,7 +85,7 @@ __export(src_exports, {
   zRefreshTokenGrantIdentifier: () => zRefreshTokenGrantIdentifier
 });
 module.exports = __toCommonJS(src_exports);
-var import_utils42 = require("@openid4vc/utils");
+var import_utils45 = require("@openid4vc/utils");
 
 // src/common/z-oauth2-error.ts
 var import_zod = __toESM(require("zod"));
@@ -501,8 +505,305 @@ var zCompactJwe = import_zod6.z.string().regex(/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*\
   message: "Not a valid compact jwe"
 });
 
+// src/client-attestation/clent-attestation.ts
+var import_utils8 = require("@openid4vc/utils");
+
+// src/common/jwt/verify-jwt.ts
+var import_utils5 = require("@openid4vc/utils");
+
+// src/error/Oauth2JwtVerificationError.ts
+var Oauth2JwtVerificationError = class extends Oauth2Error {
+  constructor(message, options) {
+    const errorMessage = message ?? "Error verifiying jwt.";
+    super(errorMessage, options);
+  }
+};
+
+// src/common/jwt/verify-jwt.ts
+async function verifyJwt(options) {
+  const errorMessage = options.errorMessage ?? "Error during verification of jwt.";
+  let signerJwk;
+  try {
+    const result = await options.verifyJwtCallback(options.signer, {
+      header: options.header,
+      payload: options.payload,
+      compact: options.compact
+    });
+    if (!result.verified) throw new Oauth2JwtVerificationError(errorMessage);
+    signerJwk = result.signerJwk;
+  } catch (error) {
+    if (error instanceof Oauth2JwtVerificationError) throw error;
+    throw new Oauth2JwtVerificationError(errorMessage, { cause: error });
+  }
+  const nowInSeconds = (0, import_utils5.dateToSeconds)(options.now ?? /* @__PURE__ */ new Date());
+  const skewInSeconds = options.allowedSkewInSeconds ?? 0;
+  const timeBasedValidation = options.skipTimeBasedValidation !== void 0 ? !options.skipTimeBasedValidation : true;
+  if (timeBasedValidation && options.payload.nbf && nowInSeconds < options.payload.nbf - skewInSeconds) {
+    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nbf' is in the future`);
+  }
+  if (timeBasedValidation && options.payload.exp && nowInSeconds > options.payload.exp + skewInSeconds) {
+    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'exp' is in the past`);
+  }
+  if (options.expectedAudience && options.expectedAudience !== options.payload.aud) {
+    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'aud' does not match expected value.`);
+  }
+  if (options.expectedIssuer && options.expectedIssuer !== options.payload.iss) {
+    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'iss' does not match expected value.`);
+  }
+  if (options.expectedNonce && options.expectedNonce !== options.payload.nonce) {
+    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nonce' does not match expected value.`);
+  }
+  if (options.expectedSubject && options.expectedSubject !== options.payload.sub) {
+    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'sub' does not match expected value.`);
+  }
+  if (options.requiredClaims) {
+    for (const claim of options.requiredClaims) {
+      if (!options.payload[claim]) {
+        throw new Oauth2JwtVerificationError(`${errorMessage} jwt '${claim}' is missing.`);
+      }
+    }
+  }
+  return {
+    signer: {
+      ...options.signer,
+      publicJwk: signerJwk
+    }
+  };
+}
+
+// src/error/Oauth2ServerErrorResponseError.ts
+var Oauth2ServerErrorResponseError = class extends Oauth2Error {
+  constructor(errorResponse, options) {
+    super(
+      `${options?.internalMessage ?? errorResponse.error_description}
+${JSON.stringify(errorResponse, null, 2)}`,
+      options
+    );
+    this.errorResponse = errorResponse;
+    this.status = options?.status ?? 400;
+  }
+};
+
+// src/client-attestation/client-attestation-pop.ts
+var import_utils7 = require("@openid4vc/utils");
+
+// src/client-attestation/z-client-attestation.ts
+var import_utils6 = require("@openid4vc/utils");
+var import_zod7 = __toESM(require("zod"));
+var zOauthClientAttestationHeader = import_zod7.default.literal("OAuth-Client-Attestation");
+var oauthClientAttestationHeader = zOauthClientAttestationHeader.value;
+var zClientAttestationJwtPayload = import_zod7.default.object({
+  ...zJwtPayload.shape,
+  iss: import_zod7.default.string(),
+  sub: import_zod7.default.string(),
+  exp: import_utils6.zInteger,
+  cnf: import_zod7.default.object({
+    jwk: zJwk
+  }).passthrough(),
+  // OID4VCI Wallet Attestation Extensions
+  wallet_name: import_zod7.default.string().optional(),
+  wallet_link: import_zod7.default.string().url().optional()
+}).passthrough();
+var zClientAttestationJwtHeader = import_zod7.default.object({
+  ...zJwtHeader.shape,
+  typ: import_zod7.default.literal("oauth-client-attestation+jwt")
+}).passthrough();
+var zOauthClientAttestationPopHeader = import_zod7.default.literal("OAuth-Client-Attestation-PoP");
+var oauthClientAttestationPopHeader = zOauthClientAttestationPopHeader.value;
+var zClientAttestationPopJwtPayload = import_zod7.default.object({
+  ...zJwtPayload.shape,
+  iss: import_zod7.default.string(),
+  exp: import_utils6.zInteger,
+  aud: import_utils6.zHttpsUrl,
+  jti: import_zod7.default.string(),
+  nonce: import_zod7.default.optional(import_zod7.default.string())
+}).passthrough();
+var zClientAttestationPopJwtHeader = import_zod7.default.object({
+  ...zJwtHeader.shape,
+  typ: import_zod7.default.literal("oauth-client-attestation-pop+jwt")
+}).passthrough();
+
+// src/client-attestation/client-attestation-pop.ts
+async function verifyClientAttestationPopJwt(options) {
+  const { header, payload } = decodeJwt({
+    jwt: options.clientAttestationPopJwt,
+    headerSchema: zClientAttestationPopJwtHeader,
+    payloadSchema: zClientAttestationPopJwtPayload
+  });
+  if (payload.iss !== options.clientAttestation.payload.sub) {
+    throw new Oauth2Error(
+      `Client Attestation Pop jwt contains 'iss' (client_id) value '${payload.iss}', but expected 'sub' value from client attestation '${options.clientAttestation.payload.sub}'`
+    );
+  }
+  if (payload.aud !== options.authorizationServer) {
+    throw new Oauth2Error(
+      `Client Attestation Pop jwt contains 'aud' value '${payload.aud}', but expected authorization server identifier '${options.authorizationServer}'`
+    );
+  }
+  const { signer } = await verifyJwt({
+    signer: {
+      alg: header.alg,
+      method: "jwk",
+      publicJwk: options.clientAttestation.payload.cnf.jwk
+    },
+    now: options.now,
+    header,
+    expectedNonce: options.expectedNonce,
+    payload,
+    compact: options.clientAttestationPopJwt,
+    verifyJwtCallback: options.callbacks.verifyJwt,
+    errorMessage: "client attestation pop jwt verification failed"
+  });
+  return {
+    header,
+    payload,
+    signer
+  };
+}
+async function createClientAttestationPopJwt(options) {
+  const clientAttestation = decodeJwt({
+    jwt: options.clientAttestation,
+    headerSchema: zClientAttestationJwtHeader,
+    payloadSchema: zClientAttestationJwtPayload
+  });
+  const signer = options.signer ?? {
+    method: "jwk",
+    alg: clientAttestation.header.alg,
+    publicJwk: clientAttestation.payload.cnf.jwk
+  };
+  const header = (0, import_utils7.parseWithErrorHandling)(zClientAttestationPopJwtHeader, {
+    typ: "oauth-client-attestation-pop+jwt",
+    alg: signer.alg
+  });
+  const expiresAt = options.expiresAt ?? (0, import_utils7.addSecondsToDate)(options.issuedAt ?? /* @__PURE__ */ new Date(), 1 * 60);
+  const payload = (0, import_utils7.parseWithErrorHandling)(zClientAttestationPopJwtPayload, {
+    aud: options.authorizationServer,
+    iss: clientAttestation.payload.sub,
+    iat: (0, import_utils7.dateToSeconds)(options.issuedAt),
+    exp: (0, import_utils7.dateToSeconds)(expiresAt),
+    jti: (0, import_utils7.encodeToBase64Url)(await options.callbacks.generateRandom(32)),
+    nonce: options.nonce,
+    ...options.additionalPayload
+  });
+  const { jwt } = await options.callbacks.signJwt(signer, {
+    header,
+    payload
+  });
+  return jwt;
+}
+
+// src/client-attestation/clent-attestation.ts
+async function verifyClientAttestationJwt(options) {
+  const { header, payload } = decodeJwt({
+    jwt: options.clientAttestationJwt,
+    headerSchema: zClientAttestationJwtHeader,
+    payloadSchema: zClientAttestationJwtPayload
+  });
+  const { signer } = await verifyJwt({
+    signer: jwtSignerFromJwt({ header, payload }),
+    now: options.now,
+    header,
+    payload,
+    compact: options.clientAttestationJwt,
+    verifyJwtCallback: options.callbacks.verifyJwt,
+    errorMessage: "client attestation jwt verification failed"
+  });
+  return {
+    header,
+    payload,
+    signer
+  };
+}
+async function createClientAttestationJwt(options) {
+  const header = (0, import_utils8.parseWithErrorHandling)(zClientAttestationJwtHeader, {
+    typ: "oauth-client-attestation+jwt",
+    ...jwtHeaderFromJwtSigner(options.signer)
+  });
+  const payload = (0, import_utils8.parseWithErrorHandling)(zClientAttestationJwtPayload, {
+    iss: options.issuer,
+    iat: (0, import_utils8.dateToSeconds)(options.issuedAt),
+    exp: (0, import_utils8.dateToSeconds)(options.expiresAt),
+    sub: options.clientId,
+    cnf: options.confirmation,
+    ...options.additionalPayload
+  });
+  const { jwt } = await options.callbacks.signJwt(options.signer, {
+    header,
+    payload
+  });
+  return jwt;
+}
+function extractClientAttestationJwtsFromHeaders(headers) {
+  const clientAttestationHeader = headers.get(oauthClientAttestationHeader);
+  const clientAttestationPopHeader = headers.get(oauthClientAttestationPopHeader);
+  if (!clientAttestationHeader && !clientAttestationPopHeader) {
+    return { valid: true };
+  }
+  if (!clientAttestationHeader || !clientAttestationPopHeader) {
+    return { valid: false };
+  }
+  if (!zCompactJwt.safeParse(clientAttestationHeader).success || !zCompactJwt.safeParse(clientAttestationPopHeader).success) {
+    return { valid: false };
+  }
+  return {
+    valid: true,
+    clientAttestationPopHeader,
+    clientAttestationHeader
+  };
+}
+async function verifyClientAttestation({
+  authorizationServer,
+  clientAttestationJwt,
+  clientAttestationPopJwt,
+  callbacks,
+  now
+}) {
+  try {
+    const clientAttestation = await verifyClientAttestationJwt({
+      callbacks,
+      clientAttestationJwt,
+      now
+    });
+    const clientAttestationPop = await verifyClientAttestationPopJwt({
+      callbacks,
+      authorizationServer,
+      clientAttestation,
+      clientAttestationPopJwt,
+      now
+    });
+    return {
+      clientAttestation,
+      clientAttestationPop
+    };
+  } catch (error) {
+    if (error instanceof Oauth2Error) {
+      throw new Oauth2ServerErrorResponseError(
+        {
+          error: "invalid_client" /* InvalidClient */,
+          error_description: `Error verifying client attestation. ${error.message}`
+        },
+        {
+          status: 401,
+          cause: error
+        }
+      );
+    }
+    throw new Oauth2ServerErrorResponseError(
+      {
+        error: "server_error" /* ServerError */,
+        error_description: "Error during verification of client attestation jwt"
+      },
+      {
+        status: 500,
+        cause: error,
+        internalMessage: "Unknown error thrown during verification of client attestation jwt"
+      }
+    );
+  }
+}
+
 // src/index.ts
-var import_utils43 = require("@openid4vc/utils");
+var import_utils46 = require("@openid4vc/utils");
 
 // src/error/Oauth2ClientErrorResponseError.ts
 var Oauth2ClientErrorResponseError = class extends Oauth2Error {
@@ -522,16 +823,8 @@ var Oauth2ClientAuthorizationChallengeError = class extends Oauth2ClientErrorRes
   }
 };
 
-// src/error/Oauth2JwtVerificationError.ts
-var Oauth2JwtVerificationError = class extends Oauth2Error {
-  constructor(message, options) {
-    const errorMessage = message ?? "Error verifiying jwt.";
-    super(errorMessage, options);
-  }
-};
-
 // src/error/Oauth2ResourceUnauthorizedError.ts
-var import_utils5 = require("@openid4vc/utils");
+var import_utils9 = require("@openid4vc/utils");
 var Oauth2ResourceUnauthorizedError = class _Oauth2ResourceUnauthorizedError extends Oauth2Error {
   constructor(internalMessage, wwwAuthenticateHeaders) {
     super(`${internalMessage}
@@ -539,7 +832,7 @@ ${JSON.stringify(wwwAuthenticateHeaders, null, 2)}`);
     this.wwwAuthenticateHeaders = Array.isArray(wwwAuthenticateHeaders) ? wwwAuthenticateHeaders : [wwwAuthenticateHeaders];
   }
   static fromHeaderValue(value) {
-    const headers = (0, import_utils5.parseWwwAuthenticateHeader)(value);
+    const headers = (0, import_utils9.parseWwwAuthenticateHeader)(value);
     return new _Oauth2ResourceUnauthorizedError(
       void 0,
       headers.map(
@@ -554,7 +847,7 @@ ${JSON.stringify(wwwAuthenticateHeaders, null, 2)}`);
     );
   }
   toHeaderValue() {
-    return (0, import_utils5.encodeWwwAuthenticateHeader)(
+    return (0, import_utils9.encodeWwwAuthenticateHeader)(
       this.wwwAuthenticateHeaders.map((header) => ({
         scheme: header.scheme,
         payload: {
@@ -568,97 +861,86 @@ ${JSON.stringify(wwwAuthenticateHeaders, null, 2)}`);
   }
 };
 
-// src/error/Oauth2ServerErrorResponseError.ts
-var Oauth2ServerErrorResponseError = class extends Oauth2Error {
-  constructor(errorResponse, options) {
-    super(
-      `${options?.internalMessage ?? errorResponse.error_description}
-${JSON.stringify(errorResponse, null, 2)}`,
-      options
-    );
-    this.errorResponse = errorResponse;
-    this.status = options?.status ?? 400;
-  }
-};
-
 // src/metadata/authorization-server/authorization-server-metadata.ts
-var import_utils9 = require("@openid4vc/utils");
+var import_utils13 = require("@openid4vc/utils");
 
 // src/metadata/fetch-well-known-metadata.ts
-var import_utils6 = require("@openid4vc/utils");
-var import_utils7 = require("@openid4vc/utils");
+var import_utils10 = require("@openid4vc/utils");
+var import_utils11 = require("@openid4vc/utils");
 
-// ../utils/src/error/ValidationError.ts
-var import_zod7 = require("zod");
+// ../utils/src/zod-error.ts
+var import_zod8 = require("zod");
 var constants = {
   // biome-ignore lint/suspicious/noMisleadingCharacterClass: expected
   identifierRegex: /[$_\p{ID_Start}][$\u200c\u200d\p{ID_Continue}]*/u,
   unionSeparator: ", or ",
   issueSeparator: "\n	- "
 };
-var ValidationError = class extends Error {
-  escapeQuotes(str) {
-    return str.replace(/"/g, '\\"');
+function escapeQuotes(str) {
+  return str.replace(/"/g, '\\"');
+}
+function joinPath(path) {
+  if (path.length === 1) {
+    return path[0].toString();
   }
-  joinPath(path) {
-    if (path.length === 1) {
-      return path[0].toString();
+  return path.reduce((acc, item) => {
+    if (typeof item === "number") {
+      return `${acc}[${item.toString()}]`;
     }
-    return path.reduce((acc, item) => {
-      if (typeof item === "number") {
-        return `${acc}[${item.toString()}]`;
-      }
-      if (item.includes('"')) {
-        return `${acc}["${this.escapeQuotes(item)}"]`;
-      }
-      if (!constants.identifierRegex.test(item)) {
-        return `${acc}["${item}"]`;
-      }
-      const separator = acc.length === 0 ? "" : ".";
-      return acc + separator + item;
-    }, "");
-  }
-  getMessageFromUnionErrors(unionErrors) {
-    return unionErrors.reduce((acc, zodError) => {
-      const newIssues = zodError.issues.map((issue) => this.getMessageFromZodIssue(issue)).join(constants.issueSeparator);
-      if (!acc.includes(newIssues)) acc.push(newIssues);
-      return acc;
-    }, []).join(constants.unionSeparator);
-  }
-  getMessageFromZodIssue(issue) {
-    if (issue.code === import_zod7.ZodIssueCode.invalid_union) {
-      return this.getMessageFromUnionErrors(issue.unionErrors);
+    if (item.includes('"')) {
+      return `${acc}["${escapeQuotes(item)}"]`;
     }
-    if (issue.code === import_zod7.ZodIssueCode.invalid_arguments) {
-      return [issue.message, ...issue.argumentsError.issues.map((issue2) => this.getMessageFromZodIssue(issue2))].join(
-        constants.issueSeparator
-      );
+    if (!constants.identifierRegex.test(item)) {
+      return `${acc}["${item}"]`;
     }
-    if (issue.code === import_zod7.ZodIssueCode.invalid_return_type) {
-      return [issue.message, ...issue.returnTypeError.issues.map((issue2) => this.getMessageFromZodIssue(issue2))].join(
-        constants.issueSeparator
-      );
-    }
-    if (issue.path.length !== 0) {
-      if (issue.path.length === 1) {
-        const identifier = issue.path[0];
-        if (typeof identifier === "number") {
-          return `${issue.message} at index ${identifier}`;
-        }
+    const separator = acc.length === 0 ? "" : ".";
+    return acc + separator + item;
+  }, "");
+}
+function getMessageFromZodIssue(issue) {
+  if (issue.code === import_zod8.ZodIssueCode.invalid_union) {
+    return getMessageFromUnionErrors(issue.unionErrors);
+  }
+  if (issue.code === import_zod8.ZodIssueCode.invalid_arguments) {
+    return [issue.message, ...issue.argumentsError.issues.map((issue2) => getMessageFromZodIssue(issue2))].join(
+      constants.issueSeparator
+    );
+  }
+  if (issue.code === import_zod8.ZodIssueCode.invalid_return_type) {
+    return [issue.message, ...issue.returnTypeError.issues.map((issue2) => getMessageFromZodIssue(issue2))].join(
+      constants.issueSeparator
+    );
+  }
+  if (issue.path.length !== 0) {
+    if (issue.path.length === 1) {
+      const identifier = issue.path[0];
+      if (typeof identifier === "number") {
+        return `${issue.message} at index ${identifier}`;
       }
-      return `${issue.message} at "${this.joinPath(issue.path)}"`;
     }
-    return issue.message;
-  }
-  formatError(error) {
-    if (!error) return "";
-    return error?.issues.map((issue) => this.getMessageFromZodIssue(issue)).join(constants.issueSeparator);
+    return `${issue.message} at "${joinPath(issue.path)}"`;
   }
+  return issue.message;
+}
+function getMessageFromUnionErrors(unionErrors) {
+  return unionErrors.reduce((acc, zodError) => {
+    const newIssues = zodError.issues.map((issue) => getMessageFromZodIssue(issue)).join(constants.issueSeparator);
+    if (!acc.includes(newIssues)) acc.push(newIssues);
+    return acc;
+  }, []).join(constants.unionSeparator);
+}
+function formatZodError(error) {
+  if (!error) return "";
+  return `	- ${error?.issues.map((issue) => getMessageFromZodIssue(issue)).join(constants.issueSeparator)}`;
+}
+
+// ../utils/src/error/ValidationError.ts
+var ValidationError = class extends Error {
   constructor(message, zodError) {
     super(message);
-    const formattedError = this.formatError(zodError);
+    const formattedError = formatZodError(zodError);
     this.message = `${message}
-	- ${formattedError}`;
+${formattedError}`;
     Object.defineProperty(this, "zodError", {
       value: zodError,
       writable: false,
@@ -669,13 +951,13 @@ var ValidationError = class extends Error {
 
 // src/metadata/fetch-well-known-metadata.ts
 async function fetchWellKnownMetadata(wellKnownMetadataUrl, schema, fetch) {
-  const fetcher = (0, import_utils6.createZodFetcher)(fetch);
-  const { result, response } = await fetcher(schema, import_utils6.ContentType.Json, wellKnownMetadataUrl);
+  const fetcher = (0, import_utils10.createZodFetcher)(fetch);
+  const { result, response } = await fetcher(schema, import_utils10.ContentType.Json, wellKnownMetadataUrl);
   if (response.status === 404) {
     return null;
   }
   if (!response.ok) {
-    throw new import_utils7.InvalidFetchResponseError(
+    throw new import_utils11.InvalidFetchResponseError(
       `Fetching well known metadata from '${wellKnownMetadataUrl}' resulted in an unsuccessfull response with status '${response.status}'.`,
       await response.clone().text(),
       response
@@ -688,31 +970,40 @@ async function fetchWellKnownMetadata(wellKnownMetadataUrl, schema, fetch) {
 }
 
 // src/metadata/authorization-server/z-authorization-server-metadata.ts
-var import_utils8 = require("@openid4vc/utils");
-var import_zod8 = __toESM(require("zod"));
-var zAuthorizationServerMetadata = import_zod8.default.object({
-  issuer: import_utils8.zHttpsUrl,
-  token_endpoint: import_utils8.zHttpsUrl,
-  token_endpoint_auth_methods_supported: import_zod8.default.optional(import_zod8.default.array(import_zod8.default.string())),
-  authorization_endpoint: import_zod8.default.optional(import_utils8.zHttpsUrl),
-  jwks_uri: import_zod8.default.optional(import_utils8.zHttpsUrl),
+var import_utils12 = require("@openid4vc/utils");
+var import_zod9 = __toESM(require("zod"));
+var knownClientAuthenticationMethod = import_zod9.default.enum([
+  "client_secret_basic",
+  "client_secret_post",
+  "attest_jwt_client_auth",
+  "client_secret_jwt",
+  "private_key_jwt"
+]);
+var zAuthorizationServerMetadata = import_zod9.default.object({
+  issuer: import_utils12.zHttpsUrl,
+  token_endpoint: import_utils12.zHttpsUrl,
+  token_endpoint_auth_methods_supported: import_zod9.default.optional(import_zod9.default.array(import_zod9.default.union([knownClientAuthenticationMethod, import_zod9.default.string()]))),
+  authorization_endpoint: import_zod9.default.optional(import_utils12.zHttpsUrl),
+  jwks_uri: import_zod9.default.optional(import_utils12.zHttpsUrl),
   // RFC7636
-  code_challenge_methods_supported: import_zod8.default.optional(import_zod8.default.array(import_zod8.default.string())),
+  code_challenge_methods_supported: import_zod9.default.optional(import_zod9.default.array(import_zod9.default.string())),
   // RFC9449
-  dpop_signing_alg_values_supported: import_zod8.default.optional(import_zod8.default.array(import_zod8.default.string())),
+  dpop_signing_alg_values_supported: import_zod9.default.optional(import_zod9.default.array(import_zod9.default.string())),
   // RFC9126
-  require_pushed_authorization_requests: import_zod8.default.optional(import_zod8.default.boolean()),
-  pushed_authorization_request_endpoint: import_zod8.default.optional(import_utils8.zHttpsUrl),
+  require_pushed_authorization_requests: import_zod9.default.optional(import_zod9.default.boolean()),
+  pushed_authorization_request_endpoint: import_zod9.default.optional(import_utils12.zHttpsUrl),
   // RFC9068
-  introspection_endpoint: import_zod8.default.optional(import_utils8.zHttpsUrl),
-  introspection_endpoint_auth_methods_supported: import_zod8.default.optional(
-    import_zod8.default.array(import_zod8.default.union([import_zod8.default.literal("client_secret_jwt"), import_zod8.default.literal("private_key_jwt"), import_zod8.default.string()]))
+  introspection_endpoint: import_zod9.default.optional(import_utils12.zHttpsUrl),
+  introspection_endpoint_auth_methods_supported: import_zod9.default.optional(
+    import_zod9.default.array(import_zod9.default.union([knownClientAuthenticationMethod, import_zod9.default.string()]))
   ),
-  introspection_endpoint_auth_signing_alg_values_supported: import_zod8.default.optional(import_zod8.default.array(zAlgValueNotNone)),
+  introspection_endpoint_auth_signing_alg_values_supported: import_zod9.default.optional(import_zod9.default.array(zAlgValueNotNone)),
   // FiPA (no RFC yet)
-  authorization_challenge_endpoint: import_zod8.default.optional(import_utils8.zHttpsUrl),
+  authorization_challenge_endpoint: import_zod9.default.optional(import_utils12.zHttpsUrl),
   // From OpenID4VCI specification
-  pre_authorized_grant_anonymous_access_supported: import_zod8.default.optional(import_zod8.default.boolean())
+  pre_authorized_grant_anonymous_access_supported: import_zod9.default.optional(import_zod9.default.boolean()),
+  // Attestation Based Client Auth (draft 5)
+  client_attestation_pop_nonce_required: import_zod9.default.boolean().optional()
 }).passthrough().refine(
   ({
     introspection_endpoint_auth_methods_supported: methodsSupported,
@@ -729,9 +1020,9 @@ var zAuthorizationServerMetadata = import_zod8.default.object({
 var wellKnownAuthorizationServerSuffix = ".well-known/oauth-authorization-server";
 var wellKnownOpenIdConfigurationServerSuffix = ".well-known/openid-configuration";
 async function fetchAuthorizationServerMetadata(issuer, fetch) {
-  const openIdConfigurationWellKnownMetadataUrl = (0, import_utils9.joinUriParts)(issuer, [wellKnownOpenIdConfigurationServerSuffix]);
-  const parsedIssuerUrl = new import_utils9.URL(issuer);
-  const authorizationServerWellKnownMetadataUrl = (0, import_utils9.joinUriParts)(parsedIssuerUrl.origin, [
+  const openIdConfigurationWellKnownMetadataUrl = (0, import_utils13.joinUriParts)(issuer, [wellKnownOpenIdConfigurationServerSuffix]);
+  const parsedIssuerUrl = new import_utils13.URL(issuer);
+  const authorizationServerWellKnownMetadataUrl = (0, import_utils13.joinUriParts)(parsedIssuerUrl.origin, [
     wellKnownAuthorizationServerSuffix,
     parsedIssuerUrl.pathname
   ]);
@@ -748,7 +1039,7 @@ async function fetchAuthorizationServerMetadata(issuer, fetch) {
     }
     return authorizationServerResult;
   }
-  const nonCompliantAuthorizationServerWellKnownMetadataUrl = (0, import_utils9.joinUriParts)(issuer, [wellKnownAuthorizationServerSuffix]);
+  const nonCompliantAuthorizationServerWellKnownMetadataUrl = (0, import_utils13.joinUriParts)(issuer, [wellKnownAuthorizationServerSuffix]);
   const alternativeAuthorizationServerResult = nonCompliantAuthorizationServerWellKnownMetadataUrl !== authorizationServerWellKnownMetadataUrl ? await fetchWellKnownMetadata(
     nonCompliantAuthorizationServerWellKnownMetadataUrl,
     zAuthorizationServerMetadata,
@@ -790,13 +1081,13 @@ function getAuthorizationServerMetadataFromList(authorizationServersMetadata, is
 }
 
 // src/metadata/fetch-jwks-uri.ts
-var import_utils10 = require("@openid4vc/utils");
-var import_utils11 = require("@openid4vc/utils");
+var import_utils14 = require("@openid4vc/utils");
+var import_utils15 = require("@openid4vc/utils");
 async function fetchJwks(jwksUrl, fetch) {
-  const fetcher = (0, import_utils10.createZodFetcher)(fetch);
-  const { result, response } = await fetcher(zJwkSet, import_utils10.ContentType.JwkSet, jwksUrl);
+  const fetcher = (0, import_utils14.createZodFetcher)(fetch);
+  const { result, response } = await fetcher(zJwkSet, import_utils14.ContentType.JwkSet, jwksUrl);
   if (!response.ok) {
-    throw new import_utils11.InvalidFetchResponseError(
+    throw new import_utils15.InvalidFetchResponseError(
       `Fetching JWKs from jwks_uri '${jwksUrl}' resulted in an unsuccessfull response with status code '${response.status}'.`,
       await response.clone().text(),
       response
@@ -808,78 +1099,25 @@ async function fetchJwks(jwksUrl, fetch) {
   return result.data;
 }
 
-// src/common/jwt/verify-jwt.ts
-var import_utils12 = require("@openid4vc/utils");
-async function verifyJwt(options) {
-  const errorMessage = options.errorMessage ?? "Error during verification of jwt.";
-  let signerJwk;
-  try {
-    const result = await options.verifyJwtCallback(options.signer, {
-      header: options.header,
-      payload: options.payload,
-      compact: options.compact
-    });
-    if (!result.verified) throw new Oauth2JwtVerificationError(errorMessage);
-    signerJwk = result.signerJwk;
-  } catch (error) {
-    if (error instanceof Oauth2JwtVerificationError) throw error;
-    throw new Oauth2JwtVerificationError(errorMessage, { cause: error });
-  }
-  const nowInSeconds = (0, import_utils12.dateToSeconds)(options.now ?? /* @__PURE__ */ new Date());
-  const skewInSeconds = options.allowedSkewInSeconds ?? 0;
-  const timeBasedValidation = options.skipTimeBasedValidation !== void 0 ? !options.skipTimeBasedValidation : true;
-  if (timeBasedValidation && options.payload.nbf && nowInSeconds < options.payload.nbf - skewInSeconds) {
-    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nbf' is in the future`);
-  }
-  if (timeBasedValidation && options.payload.exp && nowInSeconds > options.payload.exp + skewInSeconds) {
-    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'exp' is in the past`);
-  }
-  if (options.expectedAudience && options.expectedAudience !== options.payload.aud) {
-    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'aud' does not match expected value.`);
-  }
-  if (options.expectedIssuer && options.expectedIssuer !== options.payload.iss) {
-    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'iss' does not match expected value.`);
-  }
-  if (options.expectedNonce && options.expectedNonce !== options.payload.nonce) {
-    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nonce' does not match expected value.`);
-  }
-  if (options.expectedSubject && options.expectedSubject !== options.payload.sub) {
-    throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'sub' does not match expected value.`);
-  }
-  if (options.requiredClaims) {
-    for (const claim of options.requiredClaims) {
-      if (!options.payload[claim]) {
-        throw new Oauth2JwtVerificationError(`${errorMessage} jwt '${claim}' is missing.`);
-      }
-    }
-  }
-  return {
-    signer: {
-      ...options.signer,
-      publicJwk: signerJwk
-    }
-  };
-}
-
 // src/access-token/z-access-token-jwt.ts
-var import_utils13 = require("@openid4vc/utils");
-var import_zod9 = __toESM(require("zod"));
-var zAccessTokenProfileJwtHeader = import_zod9.default.object({
+var import_utils16 = require("@openid4vc/utils");
+var import_zod10 = __toESM(require("zod"));
+var zAccessTokenProfileJwtHeader = import_zod10.default.object({
   ...zJwtHeader.shape,
-  typ: import_zod9.default.enum(["application/at+jwt", "at+jwt"])
+  typ: import_zod10.default.enum(["application/at+jwt", "at+jwt"])
 }).passthrough();
-var zAccessTokenProfileJwtPayload = import_zod9.default.object({
+var zAccessTokenProfileJwtPayload = import_zod10.default.object({
   ...zJwtPayload.shape,
-  iss: import_zod9.default.string(),
-  exp: import_utils13.zInteger,
-  iat: import_utils13.zInteger,
-  aud: import_zod9.default.string(),
-  sub: import_zod9.default.string(),
+  iss: import_zod10.default.string(),
+  exp: import_utils16.zInteger,
+  iat: import_utils16.zInteger,
+  aud: import_zod10.default.string(),
+  sub: import_zod10.default.string(),
   // REQUIRED according to RFC 9068, but OpenID4VCI allows anonymous access
-  client_id: import_zod9.default.optional(import_zod9.default.string()),
-  jti: import_zod9.default.string(),
+  client_id: import_zod10.default.optional(import_zod10.default.string()),
+  jti: import_zod10.default.string(),
   // SHOULD be included in the authorization request contained it
-  scope: import_zod9.default.optional(import_zod9.default.string())
+  scope: import_zod10.default.optional(import_zod10.default.string())
 }).passthrough();
 
 // src/access-token/verify-access-token.ts
@@ -930,26 +1168,26 @@ async function verifyJwtProfileAccessToken(options) {
 }
 
 // src/resource-request/make-resource-request.ts
-var import_utils16 = require("@openid4vc/utils");
+var import_utils19 = require("@openid4vc/utils");
 
 // src/dpop/dpop.ts
-var import_utils15 = require("@openid4vc/utils");
+var import_utils18 = require("@openid4vc/utils");
 
 // src/dpop/z-dpop.ts
-var import_utils14 = require("@openid4vc/utils");
-var import_zod10 = __toESM(require("zod"));
-var zDpopJwtPayload = import_zod10.default.object({
+var import_utils17 = require("@openid4vc/utils");
+var import_zod11 = __toESM(require("zod"));
+var zDpopJwtPayload = import_zod11.default.object({
   ...zJwtPayload.shape,
-  iat: import_utils14.zInteger,
-  htu: import_utils14.zHttpsUrl,
-  htm: import_utils14.zHttpMethod,
-  jti: import_zod10.default.string(),
+  iat: import_utils17.zInteger,
+  htu: import_utils17.zHttpsUrl,
+  htm: import_utils17.zHttpMethod,
+  jti: import_zod11.default.string(),
   // Only required when presenting in combination with access token
-  ath: import_zod10.default.optional(import_zod10.default.string())
+  ath: import_zod11.default.optional(import_zod11.default.string())
 }).passthrough();
-var zDpopJwtHeader = import_zod10.default.object({
+var zDpopJwtHeader = import_zod11.default.object({
   ...zJwtHeader.shape,
-  typ: import_zod10.default.literal("dpop+jwt"),
+  typ: import_zod11.default.literal("dpop+jwt"),
   jwk: zJwk
 }).passthrough();
 
@@ -963,18 +1201,18 @@ async function createDpopHeadersForRequest(options) {
 async function createDpopJwt(options) {
   let ath = void 0;
   if (options.accessToken) {
-    ath = (0, import_utils15.encodeToBase64Url)(await options.callbacks.hash((0, import_utils15.decodeUtf8String)(options.accessToken), "sha-256" /* Sha256 */));
+    ath = (0, import_utils18.encodeToBase64Url)(await options.callbacks.hash((0, import_utils18.decodeUtf8String)(options.accessToken), "sha-256" /* Sha256 */));
   }
-  const header = (0, import_utils15.parseWithErrorHandling)(zDpopJwtHeader, {
+  const header = (0, import_utils18.parseWithErrorHandling)(zDpopJwtHeader, {
     typ: "dpop+jwt",
     jwk: options.signer.publicJwk,
     alg: options.signer.alg
   });
-  const payload = (0, import_utils15.parseWithErrorHandling)(zDpopJwtPayload, {
+  const payload = (0, import_utils18.parseWithErrorHandling)(zDpopJwtPayload, {
     htu: htuFromRequestUrl(options.request.url),
-    iat: (0, import_utils15.dateToSeconds)(options.issuedAt),
+    iat: (0, import_utils18.dateToSeconds)(options.issuedAt),
     htm: options.request.method,
-    jti: (0, import_utils15.encodeToBase64Url)(await options.callbacks.generateRandom(32)),
+    jti: (0, import_utils18.encodeToBase64Url)(await options.callbacks.generateRandom(32)),
     ath,
     nonce: options.nonce,
     ...options.additionalPayload
@@ -986,78 +1224,89 @@ async function createDpopJwt(options) {
   return jwt;
 }
 async function verifyDpopJwt(options) {
-  const { header, payload } = decodeJwt({
-    jwt: options.dpopJwt,
-    headerSchema: zDpopJwtHeader,
-    payloadSchema: zDpopJwtPayload
-  });
-  if (options.allowedSigningAlgs && !options.allowedSigningAlgs.includes(header.alg)) {
-    throw new Oauth2Error(
-      `dpop jwt uses alg value '${header.alg}' but allowed dpop signging alg values are ${options.allowedSigningAlgs.join(", ")}.`
-    );
-  }
-  if (options.expectedNonce) {
-    if (!payload.nonce) {
-      throw new Oauth2Error(`Dpop jwt does not have a nonce value, but expected nonce value '${options.expectedNonce}'`);
+  try {
+    const { header, payload } = decodeJwt({
+      jwt: options.dpopJwt,
+      headerSchema: zDpopJwtHeader,
+      payloadSchema: zDpopJwtPayload
+    });
+    if (options.allowedSigningAlgs && !options.allowedSigningAlgs.includes(header.alg)) {
+      throw new Oauth2Error(
+        `dpop jwt uses alg value '${header.alg}' but allowed dpop signging alg values are ${options.allowedSigningAlgs.join(", ")}.`
+      );
+    }
+    if (options.expectedNonce) {
+      if (!payload.nonce) {
+        throw new Oauth2Error(
+          `Dpop jwt does not have a nonce value, but expected nonce value '${options.expectedNonce}'`
+        );
+      }
+      if (payload.nonce !== options.expectedNonce) {
+        throw new Oauth2Error(
+          `Dpop jwt contains nonce value '${payload.nonce}', but expected nonce value '${options.expectedNonce}'`
+        );
+      }
     }
-    if (payload.nonce !== options.expectedNonce) {
+    if (options.request.method !== payload.htm) {
       throw new Oauth2Error(
-        `Dpop jwt contains nonce value '${payload.nonce}', but expected nonce value '${options.expectedNonce}'`
+        `Dpop jwt contains htm value '${payload.htm}', but expected htm value '${options.request.method}'`
       );
     }
-  }
-  if (options.request.method !== payload.htm) {
-    throw new Oauth2Error(
-      `Dpop jwt contains htm value '${payload.htm}', but expected htm value '${options.request.method}'`
-    );
-  }
-  const expectedHtu = htuFromRequestUrl(options.request.url);
-  if (expectedHtu !== payload.htu) {
-    throw new Oauth2Error(`Dpop jwt contains htu value '${payload.htu}', but expected htu value '${expectedHtu}'.`);
-  }
-  if (options.accessToken) {
-    const expectedAth = (0, import_utils15.encodeToBase64Url)(
-      await options.callbacks.hash((0, import_utils15.decodeUtf8String)(options.accessToken), "sha-256" /* Sha256 */)
-    );
-    if (!payload.ath) {
-      throw new Oauth2Error(`Dpop jwt does not have a ath value, but expected ath value '${expectedAth}'.`);
+    const expectedHtu = htuFromRequestUrl(options.request.url);
+    if (expectedHtu !== payload.htu) {
+      throw new Oauth2Error(`Dpop jwt contains htu value '${payload.htu}', but expected htu value '${expectedHtu}'.`);
     }
-    if (payload.ath !== expectedAth) {
-      throw new Oauth2Error(`Dpop jwt contains ath value '${payload.ath}', but expected ath value '${expectedAth}'.`);
+    if (options.accessToken) {
+      const expectedAth = (0, import_utils18.encodeToBase64Url)(
+        await options.callbacks.hash((0, import_utils18.decodeUtf8String)(options.accessToken), "sha-256" /* Sha256 */)
+      );
+      if (!payload.ath) {
+        throw new Oauth2Error(`Dpop jwt does not have a ath value, but expected ath value '${expectedAth}'.`);
+      }
+      if (payload.ath !== expectedAth) {
+        throw new Oauth2Error(`Dpop jwt contains ath value '${payload.ath}', but expected ath value '${expectedAth}'.`);
+      }
     }
-  }
-  if (options.expectedJwkThumbprint) {
-    const jwkThumprint = await calculateJwkThumbprint({
+    const jwkThumbprint = await calculateJwkThumbprint({
       hashAlgorithm: "sha-256" /* Sha256 */,
       hashCallback: options.callbacks.hash,
       jwk: header.jwk
     });
-    if (options.expectedJwkThumbprint !== jwkThumprint) {
+    if (options.expectedJwkThumbprint && options.expectedJwkThumbprint !== jwkThumbprint) {
       throw new Oauth2Error(
-        `Dpop is signed with jwk with thumbprint value '${jwkThumprint}', but expect jwk thumbprint value '${options.expectedJwkThumbprint}'`
+        `Dpop is signed with jwk with thumbprint value '${jwkThumbprint}', but expect jwk thumbprint value '${options.expectedJwkThumbprint}'`
       );
     }
+    await verifyJwt({
+      signer: {
+        alg: header.alg,
+        method: "jwk",
+        publicJwk: header.jwk
+      },
+      now: options.now,
+      header,
+      payload,
+      compact: options.dpopJwt,
+      verifyJwtCallback: options.callbacks.verifyJwt,
+      errorMessage: "dpop jwt verification failed"
+    });
+    return {
+      header,
+      payload,
+      jwkThumbprint
+    };
+  } catch (error) {
+    if (error instanceof Oauth2Error) {
+      throw new Oauth2ServerErrorResponseError({
+        error: "invalid_dpop_proof" /* InvalidDpopProof */,
+        error_description: error.message
+      });
+    }
+    throw error;
   }
-  await verifyJwt({
-    signer: {
-      alg: header.alg,
-      method: "jwk",
-      publicJwk: header.jwk
-    },
-    now: options.now,
-    header,
-    payload,
-    compact: options.dpopJwt,
-    verifyJwtCallback: options.callbacks.verifyJwt,
-    errorMessage: "dpop jwt verification failed"
-  });
-  return {
-    header,
-    payload
-  };
 }
 function htuFromRequestUrl(requestUrl) {
-  const htu = new import_utils15.URL(requestUrl);
+  const htu = new import_utils18.URL(requestUrl);
   htu.search = "";
   htu.hash = "";
   return htu.toString();
@@ -1067,10 +1316,13 @@ function extractDpopNonceFromHeaders(headers) {
 }
 function extractDpopJwtFromHeaders(headers) {
   const dpopJwt = headers.get("DPoP");
-  if (dpopJwt && (typeof dpopJwt !== "string" || dpopJwt.includes(","))) {
+  if (!dpopJwt) {
+    return { valid: true };
+  }
+  if (!zCompactJwt.safeParse(dpopJwt).success) {
     return { valid: false };
   }
-  return { valid: true, dpopJwt: dpopJwt ?? void 0 };
+  return { valid: true, dpopJwt };
 }
 
 // src/dpop/dpop-retry.ts
@@ -1142,7 +1394,7 @@ async function resourceRequest(options) {
     nonce: options.dpop.nonce,
     accessToken: options.accessToken
   }) : void 0;
-  const response = await (0, import_utils16.createFetcher)(options.callbacks.fetch)(options.url, {
+  const response = await (0, import_utils19.createFetcher)(options.callbacks.fetch)(options.url, {
     ...options.requestOptions,
     headers: {
       ...options.requestOptions.headers,
@@ -1189,40 +1441,40 @@ async function resourceRequest(options) {
 }
 
 // src/resource-request/verify-resource-request.ts
-var import_utils21 = require("@openid4vc/utils");
+var import_utils24 = require("@openid4vc/utils");
 
 // src/access-token/introspect-token.ts
-var import_utils18 = require("@openid4vc/utils");
-var import_utils19 = require("@openid4vc/utils");
-var import_utils20 = require("@openid4vc/utils");
+var import_utils21 = require("@openid4vc/utils");
+var import_utils22 = require("@openid4vc/utils");
+var import_utils23 = require("@openid4vc/utils");
 
 // src/access-token/z-token-introspection.ts
-var import_utils17 = require("@openid4vc/utils");
-var import_zod11 = __toESM(require("zod"));
-var zTokenIntrospectionRequest = import_zod11.default.object({
-  token: import_zod11.default.string(),
-  token_type_hint: import_zod11.default.optional(import_zod11.default.string())
+var import_utils20 = require("@openid4vc/utils");
+var import_zod12 = __toESM(require("zod"));
+var zTokenIntrospectionRequest = import_zod12.default.object({
+  token: import_zod12.default.string(),
+  token_type_hint: import_zod12.default.optional(import_zod12.default.string())
 }).passthrough();
-var zTokenIntrospectionResponse = import_zod11.default.object({
-  active: import_zod11.default.boolean(),
-  scope: import_zod11.default.optional(import_zod11.default.string()),
-  client_id: import_zod11.default.optional(import_zod11.default.string()),
-  username: import_zod11.default.optional(import_zod11.default.string()),
-  token_type: import_zod11.default.optional(import_zod11.default.string()),
-  exp: import_zod11.default.optional(import_utils17.zInteger),
-  iat: import_zod11.default.optional(import_utils17.zInteger),
-  nbf: import_zod11.default.optional(import_utils17.zInteger),
-  sub: import_zod11.default.optional(import_zod11.default.string()),
-  aud: import_zod11.default.optional(import_zod11.default.string()),
-  iss: import_zod11.default.optional(import_zod11.default.string()),
-  jti: import_zod11.default.optional(import_zod11.default.string()),
-  cnf: import_zod11.default.optional(zJwtConfirmationPayload)
+var zTokenIntrospectionResponse = import_zod12.default.object({
+  active: import_zod12.default.boolean(),
+  scope: import_zod12.default.optional(import_zod12.default.string()),
+  client_id: import_zod12.default.optional(import_zod12.default.string()),
+  username: import_zod12.default.optional(import_zod12.default.string()),
+  token_type: import_zod12.default.optional(import_zod12.default.string()),
+  exp: import_zod12.default.optional(import_utils20.zInteger),
+  iat: import_zod12.default.optional(import_utils20.zInteger),
+  nbf: import_zod12.default.optional(import_utils20.zInteger),
+  sub: import_zod12.default.optional(import_zod12.default.string()),
+  aud: import_zod12.default.optional(import_zod12.default.string()),
+  iss: import_zod12.default.optional(import_zod12.default.string()),
+  jti: import_zod12.default.optional(import_zod12.default.string()),
+  cnf: import_zod12.default.optional(zJwtConfirmationPayload)
 }).passthrough();
 
 // src/access-token/introspect-token.ts
 async function introspectToken(options) {
-  const fetchWithZod = (0, import_utils18.createZodFetcher)(options.callbacks.fetch);
-  const introspectionRequest = (0, import_utils18.parseWithErrorHandling)(zTokenIntrospectionRequest, {
+  const fetchWithZod = (0, import_utils21.createZodFetcher)(options.callbacks.fetch);
+  const introspectionRequest = (0, import_utils21.parseWithErrorHandling)(zTokenIntrospectionRequest, {
     token: options.token,
     token_type_hint: options.tokenTypeHint,
     ...options.additionalPayload
@@ -1231,29 +1483,29 @@ async function introspectToken(options) {
   if (!introspectionEndpoint) {
     throw new Oauth2Error(`Missing required 'introspection_endpoint' parameter in authorization server metadata`);
   }
-  const headers = new import_utils20.Headers({
-    "Content-Type": import_utils18.ContentType.XWwwFormUrlencoded
+  const headers = new import_utils23.Headers({
+    "Content-Type": import_utils21.ContentType.XWwwFormUrlencoded
   });
   await options.callbacks.clientAuthentication({
     url: introspectionEndpoint,
     method: "POST",
-    authorizationServerMetata: options.authorizationServerMetadata,
+    authorizationServerMetadata: options.authorizationServerMetadata,
     body: introspectionRequest,
-    contentType: import_utils18.ContentType.XWwwFormUrlencoded,
+    contentType: import_utils21.ContentType.XWwwFormUrlencoded,
     headers
   });
   const { result, response } = await fetchWithZod(
     zTokenIntrospectionResponse,
-    import_utils18.ContentType.Json,
+    import_utils21.ContentType.Json,
     introspectionEndpoint,
     {
-      body: (0, import_utils18.objectToQueryParams)(introspectionRequest).toString(),
+      body: (0, import_utils21.objectToQueryParams)(introspectionRequest).toString(),
       method: "POST",
       headers
     }
   );
   if (!response.ok || !result?.success) {
-    throw new import_utils19.InvalidFetchResponseError(
+    throw new import_utils22.InvalidFetchResponseError(
       `Unable to introspect token from '${introspectionEndpoint}'. Received response with status ${response.status}`,
       await response.clone().text(),
       response
@@ -1297,7 +1549,7 @@ async function verifyResourceRequest(options) {
     resourceServer: options.resourceServer,
     now: options.now
   }).catch((error) => {
-    if (error instanceof Oauth2JwtParseError || error instanceof import_utils21.ValidationError) return null;
+    if (error instanceof Oauth2JwtParseError || error instanceof import_utils24.ValidationError) return null;
     const errorMessage = error instanceof Oauth2Error ? error.message : "Invalid access token";
     throw new Oauth2ResourceUnauthorizedError(
       `Error occured during verification of jwt profile access token: ${error.message}`,
@@ -1389,7 +1641,7 @@ async function verifyResourceRequest(options) {
   }
   return {
     tokenPayload,
-    dpopJwk,
+    dpop: dpopJwk ? { jwk: dpopJwk } : void 0,
     scheme,
     accessToken,
     authorizationServer: authorizationServer.issuer
@@ -1397,10 +1649,23 @@ async function verifyResourceRequest(options) {
 }
 
 // src/client-authentication.ts
-var import_utils22 = require("@openid4vc/utils");
+var import_utils25 = require("@openid4vc/utils");
+
+// src/z-grant-type.ts
+var import_zod13 = __toESM(require("zod"));
+var zPreAuthorizedCodeGrantIdentifier = import_zod13.default.literal("urn:ietf:params:oauth:grant-type:pre-authorized_code");
+var preAuthorizedCodeGrantIdentifier = zPreAuthorizedCodeGrantIdentifier.value;
+var zAuthorizationCodeGrantIdentifier = import_zod13.default.literal("authorization_code");
+var authorizationCodeGrantIdentifier = zAuthorizationCodeGrantIdentifier.value;
+var zRefreshTokenGrantIdentifier = import_zod13.default.literal("refresh_token");
+var refreshTokenGrantIdentifier = zRefreshTokenGrantIdentifier.value;
+
+// src/client-authentication.ts
 var SupportedClientAuthenticationMethod = /* @__PURE__ */ ((SupportedClientAuthenticationMethod2) => {
   SupportedClientAuthenticationMethod2["ClientSecretBasic"] = "client_secret_basic";
   SupportedClientAuthenticationMethod2["ClientSecretPost"] = "client_secret_post";
+  SupportedClientAuthenticationMethod2["ClientAttestationJwt"] = "attest_jwt_client_auth";
+  SupportedClientAuthenticationMethod2["None"] = "none";
   return SupportedClientAuthenticationMethod2;
 })(SupportedClientAuthenticationMethod || {});
 function getSupportedClientAuthenticationMethod(authorizationServer, endpointType) {
@@ -1436,15 +1701,21 @@ function getSupportedClientAuthenticationMethod(authorizationServer, endpointTyp
 }
 function clientAuthenticationDynamic(options) {
   return (callbackOptions) => {
-    const { url, authorizationServerMetata } = callbackOptions;
-    const endpointType = url === authorizationServerMetata.introspection_endpoint ? "introspection" : "endpoint";
-    const method = getSupportedClientAuthenticationMethod(authorizationServerMetata, endpointType);
+    const { url, authorizationServerMetadata, body } = callbackOptions;
+    const endpointType = url === authorizationServerMetadata.introspection_endpoint ? "introspection" : url === authorizationServerMetadata.token_endpoint ? "token" : "endpoint";
+    const method = getSupportedClientAuthenticationMethod(authorizationServerMetadata, endpointType);
+    if (endpointType === "token" && body.grant_type === preAuthorizedCodeGrantIdentifier && authorizationServerMetadata.pre_authorized_grant_anonymous_access_supported) {
+      return clientAuthenticationAnonymous()(callbackOptions);
+    }
     if (method === "client_secret_basic" /* ClientSecretBasic */) {
       return clientAuthenticationClientSecretBasic(options)(callbackOptions);
     }
     if (method === "client_secret_post" /* ClientSecretPost */) {
       return clientAuthenticationClientSecretPost(options)(callbackOptions);
     }
+    if (method === "none" /* None */) {
+      return clientAuthenticationNone(options)(callbackOptions);
+    }
     throw new Oauth2Error(
       `Unsupported client auth method ${method}. Supported values are ${Object.values(
         SupportedClientAuthenticationMethod
@@ -1460,40 +1731,61 @@ function clientAuthenticationClientSecretPost(options) {
 }
 function clientAuthenticationClientSecretBasic(options) {
   return ({ headers }) => {
-    const authorization = (0, import_utils22.encodeToBase64Url)((0, import_utils22.decodeUtf8String)(`${options.clientId}:${options.clientSecret}`));
+    const authorization = (0, import_utils25.encodeToBase64Url)((0, import_utils25.decodeUtf8String)(`${options.clientId}:${options.clientSecret}`));
     headers.set("Authorization", `Basic ${authorization}`);
   };
 }
-function clientAuthenticationNone() {
+function clientAuthenticationNone(options) {
+  return ({ body }) => {
+    body.client_id = options.clientId;
+  };
+}
+function clientAuthenticationAnonymous() {
   return () => {
   };
 }
+function clientAuthenticationClientAttestationJwt(options) {
+  return async ({ headers, authorizationServerMetadata }) => {
+    const clientAttestationPop = await createClientAttestationPopJwt({
+      authorizationServer: authorizationServerMetadata.issuer,
+      callbacks: options.callbacks,
+      clientAttestation: options.clientAttestationJwt
+      // TODO: support client attestation nonce
+      // We can fetch it before making the request if we don't have a nonce
+      // https://www.ietf.org/archive/id/draft-ietf-oauth-attestation-based-client-auth-05.html
+      // https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/101
+      // nonce:
+    });
+    headers.set(oauthClientAttestationHeader, options.clientAttestationJwt);
+    headers.set(oauthClientAttestationPopHeader, clientAttestationPop);
+  };
+}
 
 // src/Oauth2AuthorizationServer.ts
-var import_utils34 = require("@openid4vc/utils");
+var import_utils37 = require("@openid4vc/utils");
 
 // src/access-token/create-access-token.ts
-var import_utils23 = require("@openid4vc/utils");
+var import_utils26 = require("@openid4vc/utils");
 async function createAccessTokenJwt(options) {
-  const header = (0, import_utils23.parseWithErrorHandling)(zAccessTokenProfileJwtHeader, {
+  const header = (0, import_utils26.parseWithErrorHandling)(zAccessTokenProfileJwtHeader, {
     ...jwtHeaderFromJwtSigner(options.signer),
     typ: "at+jwt"
   });
   const now = options.now ?? /* @__PURE__ */ new Date();
-  const payload = (0, import_utils23.parseWithErrorHandling)(zAccessTokenProfileJwtPayload, {
-    iat: (0, import_utils23.dateToSeconds)(now),
-    exp: (0, import_utils23.dateToSeconds)((0, import_utils23.addSecondsToDate)(now, options.expiresInSeconds)),
+  const payload = (0, import_utils26.parseWithErrorHandling)(zAccessTokenProfileJwtPayload, {
+    iat: (0, import_utils26.dateToSeconds)(now),
+    exp: (0, import_utils26.dateToSeconds)((0, import_utils26.addSecondsToDate)(now, options.expiresInSeconds)),
     aud: options.audience,
     iss: options.authorizationServer,
-    jti: (0, import_utils23.encodeToBase64Url)(await options.callbacks.generateRandom(32)),
+    jti: (0, import_utils26.encodeToBase64Url)(await options.callbacks.generateRandom(32)),
     client_id: options.clientId,
     sub: options.subject,
     scope: options.scope,
-    cnf: options.dpopJwk ? {
+    cnf: options.dpop ? {
       jkt: await calculateJwkThumbprint({
         hashAlgorithm: "sha-256" /* Sha256 */,
         hashCallback: options.callbacks.hash,
-        jwk: options.dpopJwk
+        jwk: options.dpop.jwk
       })
     } : void 0,
     ...options.additionalPayload
@@ -1508,45 +1800,34 @@ async function createAccessTokenJwt(options) {
 }
 
 // src/access-token/create-access-token-response.ts
-var import_utils25 = require("@openid4vc/utils");
-
-// src/access-token/z-access-token.ts
-var import_zod13 = __toESM(require("zod"));
-var import_utils24 = require("@openid4vc/utils");
-
-// src/z-grant-type.ts
-var import_zod12 = __toESM(require("zod"));
-var zPreAuthorizedCodeGrantIdentifier = import_zod12.default.literal("urn:ietf:params:oauth:grant-type:pre-authorized_code");
-var preAuthorizedCodeGrantIdentifier = zPreAuthorizedCodeGrantIdentifier.value;
-var zAuthorizationCodeGrantIdentifier = import_zod12.default.literal("authorization_code");
-var authorizationCodeGrantIdentifier = zAuthorizationCodeGrantIdentifier.value;
-var zRefreshTokenGrantIdentifier = import_zod12.default.literal("refresh_token");
-var refreshTokenGrantIdentifier = zRefreshTokenGrantIdentifier.value;
+var import_utils28 = require("@openid4vc/utils");
 
 // src/access-token/z-access-token.ts
-var zAccessTokenRequest = import_zod13.default.intersection(
-  import_zod13.default.object({
+var import_zod14 = __toESM(require("zod"));
+var import_utils27 = require("@openid4vc/utils");
+var zAccessTokenRequest = import_zod14.default.intersection(
+  import_zod14.default.object({
     // Pre authorized code flow
-    "pre-authorized_code": import_zod13.default.optional(import_zod13.default.string()),
+    "pre-authorized_code": import_zod14.default.optional(import_zod14.default.string()),
     // Authorization code flow
-    code: import_zod13.default.optional(import_zod13.default.string()),
-    redirect_uri: import_zod13.default.string().url().optional(),
+    code: import_zod14.default.optional(import_zod14.default.string()),
+    redirect_uri: import_zod14.default.string().url().optional(),
     // Refresh token grant
-    refresh_token: import_zod13.default.optional(import_zod13.default.string()),
-    resource: import_zod13.default.optional(import_utils24.zHttpsUrl),
-    code_verifier: import_zod13.default.optional(import_zod13.default.string()),
-    grant_type: import_zod13.default.union([
+    refresh_token: import_zod14.default.optional(import_zod14.default.string()),
+    resource: import_zod14.default.optional(import_utils27.zHttpsUrl),
+    code_verifier: import_zod14.default.optional(import_zod14.default.string()),
+    grant_type: import_zod14.default.union([
       zPreAuthorizedCodeGrantIdentifier,
       zAuthorizationCodeGrantIdentifier,
       zRefreshTokenGrantIdentifier,
       // string makes the previous ones unessary, but it does help with error messages
-      import_zod13.default.string()
+      import_zod14.default.string()
     ])
   }).passthrough(),
-  import_zod13.default.object({
-    tx_code: import_zod13.default.optional(import_zod13.default.string()),
+  import_zod14.default.object({
+    tx_code: import_zod14.default.optional(import_zod14.default.string()),
     // user_pin is from OpenID4VCI draft 11
-    user_pin: import_zod13.default.optional(import_zod13.default.string())
+    user_pin: import_zod14.default.optional(import_zod14.default.string())
   }).passthrough().refine(({ tx_code, user_pin }) => !tx_code || !user_pin || user_pin === tx_code, {
     message: `If both 'tx_code' and 'user_pin' are present they must match`
   }).transform(({ tx_code, user_pin, ...rest }) => {
@@ -1556,20 +1837,20 @@ var zAccessTokenRequest = import_zod13.default.intersection(
     };
   })
 );
-var zAccessTokenResponse = import_zod13.default.object({
-  access_token: import_zod13.default.string(),
-  token_type: import_zod13.default.string(),
-  expires_in: import_zod13.default.optional(import_zod13.default.number().int()),
-  scope: import_zod13.default.optional(import_zod13.default.string()),
-  state: import_zod13.default.optional(import_zod13.default.string()),
-  refresh_token: import_zod13.default.optional(import_zod13.default.string()),
+var zAccessTokenResponse = import_zod14.default.object({
+  access_token: import_zod14.default.string(),
+  token_type: import_zod14.default.string(),
+  expires_in: import_zod14.default.optional(import_zod14.default.number().int()),
+  scope: import_zod14.default.optional(import_zod14.default.string()),
+  state: import_zod14.default.optional(import_zod14.default.string()),
+  refresh_token: import_zod14.default.optional(import_zod14.default.string()),
   // OpenID4VCI specific parameters
-  c_nonce: import_zod13.default.optional(import_zod13.default.string()),
-  c_nonce_expires_in: import_zod13.default.optional(import_zod13.default.number().int()),
+  c_nonce: import_zod14.default.optional(import_zod14.default.string()),
+  c_nonce_expires_in: import_zod14.default.optional(import_zod14.default.number().int()),
   // TODO: add additional params
-  authorization_details: import_zod13.default.array(
-    import_zod13.default.object({
-      // requried when type is openid_credential (so we probably need a discriminator)
+  authorization_details: import_zod14.default.array(
+    import_zod14.default.object({
+      // required when type is openid_credential (so we probably need a discriminator)
       // credential_identifiers: z.array(z.string()),
     }).passthrough()
   ).optional()
@@ -1578,7 +1859,7 @@ var zAccessTokenErrorResponse = zOauth2ErrorResponse;
 
 // src/access-token/create-access-token-response.ts
 async function createAccessTokenResponse(options) {
-  const accessTokenResponse = (0, import_utils25.parseWithErrorHandling)(zAccessTokenResponse, {
+  const accessTokenResponse = (0, import_utils28.parseWithErrorHandling)(zAccessTokenResponse, {
     access_token: options.accessToken,
     token_type: options.tokenType,
     expires_in: options.expiresInSeconds,
@@ -1590,13 +1871,14 @@ async function createAccessTokenResponse(options) {
 }
 
 // src/access-token/parse-access-token-request.ts
+var import_utils29 = require("@openid4vc/utils");
 function parseAccessTokenRequest(options) {
   const parsedAccessTokenRequest = zAccessTokenRequest.safeParse(options.accessTokenRequest);
   if (!parsedAccessTokenRequest.success) {
     throw new Oauth2ServerErrorResponseError({
       error: "invalid_request" /* InvalidRequest */,
       error_description: `Error occured during validation of authorization request.
-${JSON.stringify(parsedAccessTokenRequest.error.issues, null, 2)}`
+${(0, import_utils29.formatZodError)(parsedAccessTokenRequest.error)}`
     });
   }
   const accessTokenRequest = parsedAccessTokenRequest.data;
@@ -1637,17 +1919,30 @@ ${JSON.stringify(parsedAccessTokenRequest.error.issues, null, 2)}`
       error_description: `Request contains a 'DPoP' header, but the value is not a valid DPoP jwt`
     });
   }
+  const extractedClientAttestationJwts = extractClientAttestationJwtsFromHeaders(options.request.headers);
+  if (!extractedClientAttestationJwts.valid) {
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_client" /* InvalidClient */,
+      error_description: "Request contains client attestation header, but the values are not valid client attestation and client attestation PoP header."
+    });
+  }
   const pkceCodeVerifier = accessTokenRequest.code_verifier;
   return {
     accessTokenRequest,
     grant,
-    dpopJwt: extractedDpopJwt.dpopJwt,
+    dpop: extractedDpopJwt.dpopJwt ? {
+      jwt: extractedDpopJwt.dpopJwt
+    } : void 0,
+    clientAttestation: extractedClientAttestationJwts.clientAttestationHeader ? {
+      clientAttestationJwt: extractedClientAttestationJwts.clientAttestationHeader,
+      clientAttestationPopJwt: extractedClientAttestationJwts.clientAttestationPopHeader
+    } : void 0,
     pkceCodeVerifier
   };
 }
 
 // src/pkce.ts
-var import_utils26 = require("@openid4vc/utils");
+var import_utils30 = require("@openid4vc/utils");
 var PkceCodeChallengeMethod = /* @__PURE__ */ ((PkceCodeChallengeMethod2) => {
   PkceCodeChallengeMethod2["Plain"] = "plain";
   PkceCodeChallengeMethod2["S256"] = "S256";
@@ -1662,7 +1957,7 @@ async function createPkce(options) {
     throw new Oauth2Error(`Unable to create PKCE code verifier. 'allowedCodeChallengeMethods' is an empty array.`);
   }
   const codeChallengeMethod = allowedCodeChallengeMethods.includes("S256" /* S256 */) ? "S256" /* S256 */ : "plain" /* Plain */;
-  const codeVerifier = options.codeVerifier ?? (0, import_utils26.encodeToBase64Url)(await options.callbacks.generateRandom(64));
+  const codeVerifier = options.codeVerifier ?? (0, import_utils30.encodeToBase64Url)(await options.callbacks.generateRandom(64));
   return {
     codeVerifier,
     codeChallenge: await calculateCodeChallenge({
@@ -1690,13 +1985,24 @@ async function calculateCodeChallenge(options) {
     return options.codeVerifier;
   }
   if (options.codeChallengeMethod === "S256" /* S256 */) {
-    return (0, import_utils26.encodeToBase64Url)(await options.hashCallback((0, import_utils26.decodeUtf8String)(options.codeVerifier), "sha-256" /* Sha256 */));
+    return (0, import_utils30.encodeToBase64Url)(await options.hashCallback((0, import_utils30.decodeUtf8String)(options.codeVerifier), "sha-256" /* Sha256 */));
   }
   throw new Oauth2Error(`Unsupported code challenge method ${options.codeChallengeMethod}`);
 }
 
 // src/access-token/verify-access-token-request.ts
 async function verifyPreAuthorizedCodeAccessTokenRequest(options) {
+  if (options.pkce) {
+    await verifyAccessTokenRequestPkce(options.pkce, options.callbacks);
+  }
+  const dpopResult = options.dpop ? await verifyAccessTokenRequestDpop(options.dpop, options.request, options.callbacks) : void 0;
+  const clientAttestationResult = options.clientAttestation ? await verifyAccessTokenRequestClientAttestation(
+    options.clientAttestation,
+    options.authorizationServerMetadata,
+    options.callbacks,
+    dpopResult?.jwkThumbprint,
+    options.now
+  ) : void 0;
   if (options.grant.preAuthorizedCode !== options.expectedPreAuthorizedCode) {
     throw new Oauth2ServerErrorResponseError({
       error: "invalid_grant" /* InvalidGrant */,
@@ -1735,13 +2041,20 @@ async function verifyPreAuthorizedCodeAccessTokenRequest(options) {
       );
     }
   }
+  return { dpop: dpopResult, clientAttestation: clientAttestationResult };
+}
+async function verifyAuthorizationCodeAccessTokenRequest(options) {
   if (options.pkce) {
     await verifyAccessTokenRequestPkce(options.pkce, options.callbacks);
   }
-  const dpopResult = options.dpop ? await verifyAccessTokenRequestDpop(options.dpop, options.request, options.callbacks) : null;
-  return { dpopJwk: dpopResult?.dpopJwk };
-}
-async function verifyAuthorizationCodeAccessTokenRequest(options) {
+  const dpopResult = options.dpop ? await verifyAccessTokenRequestDpop(options.dpop, options.request, options.callbacks) : void 0;
+  const clientAttestationResult = options.clientAttestation ? await verifyAccessTokenRequestClientAttestation(
+    options.clientAttestation,
+    options.authorizationServerMetadata,
+    options.callbacks,
+    dpopResult?.jwkThumbprint,
+    options.now
+  ) : void 0;
   if (options.grant.code !== options.expectedCode) {
     throw new Oauth2ServerErrorResponseError({
       error: "invalid_grant" /* InvalidGrant */,
@@ -1762,11 +2075,55 @@ async function verifyAuthorizationCodeAccessTokenRequest(options) {
       );
     }
   }
-  if (options.pkce) {
-    await verifyAccessTokenRequestPkce(options.pkce, options.callbacks);
+  return { dpop: dpopResult, clientAttestation: clientAttestationResult };
+}
+async function verifyAccessTokenRequestClientAttestation(options, authorizationServerMetadata, callbacks, dpopJwkThumbprint, now) {
+  if (!options.clientAttestationJwt || !options.clientAttestationPopJwt) {
+    if (!options.required && !options.clientAttestationJwt && !options.clientAttestationPopJwt) {
+      return void 0;
+    }
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_dpop_proof" /* InvalidDpopProof */,
+      error_description: `Missing required client attestation parameters in access token request. Make sure to provide the '${oauthClientAttestationHeader}' and '${oauthClientAttestationPopHeader}' header values.`
+    });
+  }
+  const verifiedClientAttestation = await verifyClientAttestation({
+    authorizationServer: authorizationServerMetadata.issuer,
+    callbacks,
+    clientAttestationJwt: options.clientAttestationJwt,
+    clientAttestationPopJwt: options.clientAttestationPopJwt,
+    now
+  });
+  if (options.expectedClientId !== verifiedClientAttestation.clientAttestation.payload.sub) {
+    throw new Oauth2ServerErrorResponseError(
+      {
+        error: "invalid_client" /* InvalidClient */,
+        error_description: `The client id '${verifiedClientAttestation.clientAttestation.payload.sub}' in the client attestation does not match the client id for the authorization.`
+      },
+      {
+        status: 401
+      }
+    );
+  }
+  if (options.ensureConfirmationKeyMatchesDpopKey && dpopJwkThumbprint) {
+    const clientAttestationJkt = await calculateJwkThumbprint({
+      hashAlgorithm: "sha-256" /* Sha256 */,
+      hashCallback: callbacks.hash,
+      jwk: verifiedClientAttestation.clientAttestation.payload.cnf.jwk
+    });
+    if (clientAttestationJkt !== dpopJwkThumbprint) {
+      throw new Oauth2ServerErrorResponseError(
+        {
+          error: "invalid_request" /* InvalidRequest */,
+          error_description: "Expected the DPoP JWK thumbprint value to match the JWK thumbprint of the client attestation confirmation JWK. Ensrue both DPoP and client attestation use the same key."
+        },
+        {
+          status: 401
+        }
+      );
+    }
   }
-  const dpopResult = options.dpop ? await verifyAccessTokenRequestDpop(options.dpop, options.request, options.callbacks) : null;
-  return { dpopJwk: dpopResult?.dpopJwk };
+  return verifiedClientAttestation;
 }
 async function verifyAccessTokenRequestDpop(options, request, callbacks) {
   if (options.required && !options.jwt) {
@@ -1775,26 +2132,18 @@ async function verifyAccessTokenRequestDpop(options, request, callbacks) {
       error_description: "Missing required DPoP proof"
     });
   }
-  if (!options.jwt) return null;
-  try {
-    const { header } = await verifyDpopJwt({
-      callbacks,
-      dpopJwt: options.jwt,
-      request,
-      allowedSigningAlgs: options.allowedSigningAlgs
-    });
-    return {
-      dpopJwk: header.jwk
-    };
-  } catch (error) {
-    if (error instanceof Oauth2Error) {
-      throw new Oauth2ServerErrorResponseError({
-        error: "invalid_dpop_proof" /* InvalidDpopProof */,
-        error_description: error.message
-      });
-    }
-    throw error;
-  }
+  if (!options.jwt) return void 0;
+  const { header, jwkThumbprint } = await verifyDpopJwt({
+    callbacks,
+    dpopJwt: options.jwt,
+    request,
+    allowedSigningAlgs: options.allowedSigningAlgs,
+    expectedJwkThumbprint: options.expectedJwkThumbprint
+  });
+  return {
+    jwk: header.jwk,
+    jwkThumbprint
+  };
 }
 async function verifyAccessTokenRequestPkce(options, callbacks) {
   if (options.codeChallenge && !options.codeVerifier) {
@@ -1823,281 +2172,298 @@ async function verifyAccessTokenRequestPkce(options, callbacks) {
 }
 
 // src/authorization-challenge/create-authorization-challenge-response.ts
-var import_utils29 = require("@openid4vc/utils");
+var import_utils33 = require("@openid4vc/utils");
 
 // src/authorization-challenge/z-authorization-challenge.ts
-var import_utils28 = require("@openid4vc/utils");
-var import_zod15 = __toESM(require("zod"));
+var import_utils32 = require("@openid4vc/utils");
+var import_zod16 = __toESM(require("zod"));
 
 // src/authorization-request/z-authorization-request.ts
-var import_utils27 = require("@openid4vc/utils");
-var import_zod14 = __toESM(require("zod"));
-var zAuthorizationRequest = import_zod14.default.object({
-  response_type: import_zod14.default.string(),
-  client_id: import_zod14.default.string(),
-  issuer_state: import_zod14.default.optional(import_zod14.default.string()),
-  redirect_uri: import_zod14.default.string().url().optional(),
-  resource: import_zod14.default.optional(import_utils27.zHttpsUrl),
-  scope: import_zod14.default.optional(import_zod14.default.string()),
+var import_utils31 = require("@openid4vc/utils");
+var import_zod15 = __toESM(require("zod"));
+var zAuthorizationRequest = import_zod15.default.object({
+  response_type: import_zod15.default.string(),
+  client_id: import_zod15.default.string(),
+  issuer_state: import_zod15.default.optional(import_zod15.default.string()),
+  redirect_uri: import_zod15.default.string().url().optional(),
+  resource: import_zod15.default.optional(import_utils31.zHttpsUrl),
+  scope: import_zod15.default.optional(import_zod15.default.string()),
   // DPoP jwk thumbprint
-  dpop_jkt: import_zod14.default.optional(import_zod14.default.string()),
-  code_challenge: import_zod14.default.optional(import_zod14.default.string()),
-  code_challenge_method: import_zod14.default.optional(import_zod14.default.string())
+  dpop_jkt: import_zod15.default.optional(import_zod15.default.string().base64url()),
+  code_challenge: import_zod15.default.optional(import_zod15.default.string()),
+  code_challenge_method: import_zod15.default.optional(import_zod15.default.string())
 }).passthrough();
-var zPushedAuthorizationRequest = import_zod14.default.object({
-  request_uri: import_zod14.default.string(),
-  client_id: import_zod14.default.string()
+var zPushedAuthorizationRequest = import_zod15.default.object({
+  request_uri: import_zod15.default.string(),
+  client_id: import_zod15.default.string()
 }).passthrough();
-var zPushedAuthorizationResponse = import_zod14.default.object({
-  request_uri: import_zod14.default.string(),
-  expires_in: import_zod14.default.number().int()
+var zPushedAuthorizationResponse = import_zod15.default.object({
+  request_uri: import_zod15.default.string(),
+  expires_in: import_zod15.default.number().int()
 }).passthrough();
 
 // src/authorization-challenge/z-authorization-challenge.ts
-var zAuthorizationChallengeRequest = import_zod15.default.object({
+var zAuthorizationChallengeRequest = import_zod16.default.object({
   // authorization challenge request can include same parameters as an authorization request
   // except for response_type (always `code`), and `client_id` is optional (becase
   // it's possible to do client authentication using different methods)
   ...zAuthorizationRequest.omit({ response_type: true, client_id: true }).shape,
-  client_id: import_zod15.default.optional(zAuthorizationRequest.shape.client_id),
-  auth_session: import_zod15.default.optional(import_zod15.default.string()),
+  client_id: import_zod16.default.optional(zAuthorizationRequest.shape.client_id),
+  auth_session: import_zod16.default.optional(import_zod16.default.string()),
   // DRAFT presentation during issuance
-  presentation_during_issuance_session: import_zod15.default.optional(import_zod15.default.string())
+  presentation_during_issuance_session: import_zod16.default.optional(import_zod16.default.string())
 }).passthrough();
-var zAuthorizationChallengeResponse = import_zod15.default.object({
-  authorization_code: import_zod15.default.string()
+var zAuthorizationChallengeResponse = import_zod16.default.object({
+  authorization_code: import_zod16.default.string()
 }).passthrough();
-var zAuthorizationChallengeErrorResponse = import_zod15.default.object({
+var zAuthorizationChallengeErrorResponse = import_zod16.default.object({
   ...zOauth2ErrorResponse.shape,
-  auth_session: import_zod15.default.optional(import_zod15.default.string()),
-  request_uri: import_zod15.default.optional(import_zod15.default.string()),
-  expires_in: import_zod15.default.optional(import_utils28.zInteger),
+  auth_session: import_zod16.default.optional(import_zod16.default.string()),
+  request_uri: import_zod16.default.optional(import_zod16.default.string()),
+  expires_in: import_zod16.default.optional(import_utils32.zInteger),
   // DRAFT: presentation during issuance
-  presentation: import_zod15.default.optional(import_zod15.default.string())
+  presentation: import_zod16.default.optional(import_zod16.default.string())
 }).passthrough();
 
 // src/authorization-challenge/create-authorization-challenge-response.ts
 function createAuthorizationChallengeResponse(options) {
-  const authorizationChallengeResponse = (0, import_utils29.parseWithErrorHandling)(zAuthorizationChallengeResponse, {
-    ...options.additionalPayload,
-    authorization_code: options.authorizationCode
-  });
-  return { authorizationChallengeResponse };
-}
-function createAuthorizationChallengeErrorResponse(options) {
-  const authorizationChallengeErrorResponse = (0, import_utils29.parseWithErrorHandling)(zAuthorizationChallengeErrorResponse, {
+  const authorizationChallengeResponse = (0, import_utils33.parseWithErrorHandling)(zAuthorizationChallengeResponse, {
     ...options.additionalPayload,
-    // General FiPA
-    error: options.error,
-    error_description: options.errorDescription,
-    auth_session: options.authSession,
-    // Presentation during issuance
-    presentation: options.presentation,
-    // PAR
-    request_uri: options.requestUri,
-    expires_in: options.expiresIn
-  });
-  return authorizationChallengeErrorResponse;
-}
-
-// src/authorization-challenge/parse-authorization-challenge-request.ts
-var import_utils30 = require("@openid4vc/utils");
-function parseAuthorizationChallengeRequest(options) {
-  const authorizationChallengeRequest = (0, import_utils30.parseWithErrorHandling)(
-    zAuthorizationChallengeRequest,
-    options.authorizationChallengeRequest
-  );
-  return { authorizationChallengeRequest };
-}
-
-// src/client-attestation/clent-attestation.ts
-var import_utils32 = require("@openid4vc/utils");
-
-// src/client-attestation/z-client-attestation.ts
-var import_utils31 = require("@openid4vc/utils");
-var import_zod16 = __toESM(require("zod"));
-var zOauthClientAttestationHeader = import_zod16.default.literal("OAuth-Client-Attestation");
-var oauthClientAttestationHeader = zOauthClientAttestationHeader.value;
-var zClientAttestationJwtPayload = import_zod16.default.object({
-  ...zJwtPayload.shape,
-  iss: import_zod16.default.string(),
-  sub: import_zod16.default.string(),
-  exp: import_utils31.zInteger,
-  cnf: import_zod16.default.object({
-    jwk: zJwk,
-    key_type: import_zod16.default.optional(
-      import_zod16.default.union([
-        import_zod16.default.enum(["software", "hardware", "tee", "secure_enclave", "strong_box", "secure_element", "hsm"]),
-        import_zod16.default.string()
-      ])
-    ),
-    user_authentication: import_zod16.default.optional(
-      import_zod16.default.union([
-        import_zod16.default.enum(["system_biometry", "system_pin", "internal_biometry", "internal_pin", "secure_element_pin"]),
-        import_zod16.default.string()
-      ])
-    )
-  }).passthrough(),
-  aal: import_zod16.default.optional(import_zod16.default.string())
-}).passthrough();
-var zClientAttestationJwtHeader = import_zod16.default.object({
-  ...zJwtHeader.shape,
-  typ: import_zod16.default.literal("oauth-client-attestation+jwt")
-}).passthrough();
-var zOauthClientAttestationPopHeader = import_zod16.default.literal("OAuth-Client-Attestation-PoP");
-var oauthClientAttestationPopHeader = zOauthClientAttestationPopHeader.value;
-var zClientAttestationPopJwtPayload = import_zod16.default.object({
-  ...zJwtPayload.shape,
-  iss: import_zod16.default.string(),
-  exp: import_utils31.zInteger,
-  aud: import_utils31.zHttpsUrl,
-  jti: import_zod16.default.string(),
-  nonce: import_zod16.default.optional(import_zod16.default.string())
-}).passthrough();
-var zClientAttestationPopJwtHeader = import_zod16.default.object({
-  ...zJwtHeader.shape,
-  typ: import_zod16.default.literal("oauth-client-attestation-pop+jwt")
-}).passthrough();
-
-// src/client-attestation/clent-attestation.ts
-async function verifyClientAttestationJwt(options) {
-  const { header, payload } = decodeJwt({
-    jwt: options.clientAttestationJwt,
-    headerSchema: zClientAttestationJwtHeader,
-    payloadSchema: zClientAttestationJwtPayload
-  });
-  const { signer } = await verifyJwt({
-    signer: jwtSignerFromJwt({ header, payload }),
-    now: options.now,
-    header,
-    payload,
-    compact: options.clientAttestationJwt,
-    verifyJwtCallback: options.callbacks.verifyJwt,
-    errorMessage: "client attestation jwt verification failed"
-  });
-  return {
-    header,
-    payload,
-    signer
-  };
-}
-async function createClientAttestationJwt(options) {
-  const header = (0, import_utils32.parseWithErrorHandling)(zClientAttestationJwtHeader, {
-    typ: "oauth-client-attestation+jwt",
-    ...jwtHeaderFromJwtSigner(options.signer)
-  });
-  const payload = (0, import_utils32.parseWithErrorHandling)(zClientAttestationJwtPayload, {
-    iss: options.issuer,
-    iat: (0, import_utils32.dateToSeconds)(options.issuedAt),
-    exp: (0, import_utils32.dateToSeconds)(options.expiresAt),
-    sub: options.clientId,
-    cnf: options.confirmation,
-    ...options.additionalPayload
+    authorization_code: options.authorizationCode
   });
-  const { jwt } = await options.callbacks.signJwt(options.signer, {
-    header,
-    payload
+  return { authorizationChallengeResponse };
+}
+function createAuthorizationChallengeErrorResponse(options) {
+  const authorizationChallengeErrorResponse = (0, import_utils33.parseWithErrorHandling)(zAuthorizationChallengeErrorResponse, {
+    ...options.additionalPayload,
+    // General FiPA
+    error: options.error,
+    error_description: options.errorDescription,
+    auth_session: options.authSession,
+    // Presentation during issuance
+    presentation: options.presentation,
+    // PAR
+    request_uri: options.requestUri,
+    expires_in: options.expiresIn
   });
-  return jwt;
+  return authorizationChallengeErrorResponse;
 }
-function extractClientAttestationJwtsFromHeaders(headers) {
-  const clientAttestationHeader = headers.get(oauthClientAttestationHeader);
-  const clientAttestationPopHeader = headers.get(oauthClientAttestationPopHeader);
-  if (!clientAttestationHeader || clientAttestationHeader.includes(",")) {
-    throw new Oauth2Error(`Missing or invalid '${oauthClientAttestationHeader}' header.`);
+
+// src/authorization-challenge/parse-authorization-challenge-request.ts
+var import_utils34 = require("@openid4vc/utils");
+
+// src/authorization-request/parse-authorization-request.ts
+function parseAuthorizationRequest(options) {
+  const extractedDpopJwt = extractDpopJwtFromHeaders(options.request.headers);
+  if (!extractedDpopJwt.valid) {
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_dpop_proof" /* InvalidDpopProof */,
+      error_description: `Request contains a 'DPoP' header, but the value is not a valid DPoP jwt`
+    });
   }
-  if (!clientAttestationPopHeader || clientAttestationPopHeader.includes(",")) {
-    throw new Oauth2Error(`Missing or invalid '${oauthClientAttestationPopHeader}' header.`);
+  const extractedClientAttestationJwts = extractClientAttestationJwtsFromHeaders(options.request.headers);
+  if (!extractedClientAttestationJwts.valid) {
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_client" /* InvalidClient */,
+      error_description: "Request contains client attestation header, but the values are not valid client attestation and client attestation PoP header."
+    });
   }
   return {
-    clientAttestationPopHeader,
-    clientAttestationHeader
+    dpop: extractedDpopJwt.dpopJwt ? {
+      jwt: extractedDpopJwt.dpopJwt,
+      jwkThumbprint: options.authorizationRequest.dpop_jkt
+    } : (
+      // Basically the same as above, but with correct TS type hinting
+      options.authorizationRequest.dpop_jkt ? {
+        jwt: extractedDpopJwt.dpopJwt,
+        jwkThumbprint: options.authorizationRequest.dpop_jkt
+      } : void 0
+    ),
+    clientAttestation: extractedClientAttestationJwts.clientAttestationHeader ? {
+      clientAttestationJwt: extractedClientAttestationJwts.clientAttestationHeader,
+      clientAttestationPopJwt: extractedClientAttestationJwts.clientAttestationPopHeader
+    } : void 0
   };
 }
 
-// src/client-attestation/client-attestation-pop.ts
-var import_utils33 = require("@openid4vc/utils");
-async function createClientAttestationForRequest(options) {
-  const clientAttestationPopJwt = await createClientAttestationPopJwt({
-    authorizationServer: options.authorizationServer,
-    clientAttestation: options.clientAttestation.jwt,
-    callbacks: options.callbacks,
-    expiresAt: options.clientAttestation.expiresAt,
-    signer: options.clientAttestation.signer,
-    nonce: options.clientAttestation.nonce
+// src/authorization-challenge/parse-authorization-challenge-request.ts
+function parseAuthorizationChallengeRequest(options) {
+  const parsedAuthorizationChallengeRequest = zAuthorizationChallengeRequest.safeParse(
+    options.authorizationChallengeRequest
+  );
+  if (!parsedAuthorizationChallengeRequest.success) {
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_request" /* InvalidRequest */,
+      error_description: `Error occured during validation of authorization challenge request.
+${(0, import_utils34.formatZodError)(parsedAuthorizationChallengeRequest.error)}`
+    });
+  }
+  const authorizationChallengeRequest = parsedAuthorizationChallengeRequest.data;
+  const { clientAttestation, dpop } = parseAuthorizationRequest({
+    authorizationRequest: authorizationChallengeRequest,
+    request: options.request
   });
   return {
-    headers: {
-      [oauthClientAttestationHeader]: options.clientAttestation.jwt,
-      [oauthClientAttestationPopHeader]: clientAttestationPopJwt
-    },
-    body: options.clientAttestation.includeLegacyDraft2ClientAssertion ? {
-      client_assertion: `${options.clientAttestation.jwt}~${clientAttestationPopJwt}`,
-      client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation"
-    } : void 0
+    authorizationChallengeRequest: parsedAuthorizationChallengeRequest.data,
+    dpop,
+    clientAttestation
   };
 }
-async function verifyClientAttestationPopJwt(options) {
-  const { header, payload } = decodeJwt({
-    jwt: options.clientAttestationPopJwt,
-    headerSchema: zClientAttestationPopJwtHeader,
-    payloadSchema: zClientAttestationPopJwtPayload
+
+// src/authorization-request/verify-authorization-request.ts
+async function verifyAuthorizationRequest(options) {
+  const dpopResult = options.dpop ? await verifyAuthorizationRequestDpop(options.dpop, options.request, options.callbacks, options.now) : void 0;
+  const clientAttestationResult = options.clientAttestation ? await verifyAuthorizationRequestClientAttestation(
+    options.clientAttestation,
+    options.authorizationServerMetadata,
+    options.callbacks,
+    dpopResult?.jwkThumbprint,
+    options.now,
+    options.authorizationRequest.client_id
+  ) : void 0;
+  return {
+    dpop: dpopResult?.jwkThumbprint ? {
+      jwkThumbprint: dpopResult.jwkThumbprint,
+      jwk: dpopResult.jwk
+    } : void 0,
+    clientAttestation: clientAttestationResult
+  };
+}
+async function verifyAuthorizationRequestClientAttestation(options, authorizationServerMetadata, callbacks, dpopJwkThumbprint, now, requestClientId) {
+  if (!options.clientAttestationJwt || !options.clientAttestationPopJwt) {
+    if (!options.required && !options.clientAttestationJwt && !options.clientAttestationPopJwt) {
+      return void 0;
+    }
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_dpop_proof" /* InvalidDpopProof */,
+      error_description: `Missing required client attestation parameters in pushed authorization request. Make sure to provide the '${oauthClientAttestationHeader}' and '${oauthClientAttestationPopHeader}' header values.`
+    });
+  }
+  const verifiedClientAttestation = await verifyClientAttestation({
+    authorizationServer: authorizationServerMetadata.issuer,
+    callbacks,
+    clientAttestationJwt: options.clientAttestationJwt,
+    clientAttestationPopJwt: options.clientAttestationPopJwt,
+    now
   });
-  if (payload.iss !== options.clientAttestation.payload.sub) {
-    throw new Oauth2Error(
-      `Client Attestation Pop jwt contains 'iss' (client_id) value '${payload.iss}', but expected 'sub' value from client attestation '${options.clientAttestation.payload.sub}'`
+  if (requestClientId && requestClientId !== verifiedClientAttestation.clientAttestation.payload.sub) {
+    throw new Oauth2ServerErrorResponseError(
+      {
+        error: "invalid_client" /* InvalidClient */,
+        error_description: `The client_id '${requestClientId}' in the request does not match the client id '${verifiedClientAttestation.clientAttestation.payload.sub}' in the client attestation`
+      },
+      {
+        status: 401
+      }
     );
   }
-  if (payload.aud !== options.authorizationServer) {
-    throw new Oauth2Error(
-      `Client Attestation Pop jwt contains 'aud' value '${payload.aud}', but expected authorization server identifier '${options.authorizationServer}'`
-    );
+  if (options.ensureConfirmationKeyMatchesDpopKey && dpopJwkThumbprint) {
+    const clientAttestationJkt = await calculateJwkThumbprint({
+      hashAlgorithm: "sha-256" /* Sha256 */,
+      hashCallback: callbacks.hash,
+      jwk: verifiedClientAttestation.clientAttestation.payload.cnf.jwk
+    });
+    if (clientAttestationJkt !== dpopJwkThumbprint) {
+      throw new Oauth2ServerErrorResponseError(
+        {
+          error: "invalid_request" /* InvalidRequest */,
+          error_description: "Expected the DPoP JWK thumbprint value to match the JWK thumbprint of the client attestation confirmation JWK. Ensrue both DPoP and client attestation use the same key."
+        },
+        {
+          status: 401
+        }
+      );
+    }
+  }
+  return verifiedClientAttestation;
+}
+async function verifyAuthorizationRequestDpop(options, request, callbacks, now) {
+  if (options.required && !options.jwt && !options.jwkThumbprint) {
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_dpop_proof" /* InvalidDpopProof */,
+      error_description: `Missing required DPoP parameters in authorization request. Either DPoP header or 'dpop_jkt' is required.`
+    });
+  }
+  const verifyDpopResult = options.jwt ? await verifyDpopJwt({
+    callbacks,
+    dpopJwt: options.jwt,
+    request,
+    allowedSigningAlgs: options.allowedSigningAlgs,
+    now
+  }) : void 0;
+  if (options.jwkThumbprint && verifyDpopResult && options.jwkThumbprint !== verifyDpopResult.jwkThumbprint) {
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_dpop_proof" /* InvalidDpopProof */,
+      error_description: `DPoP jwk thumbprint does not match with 'dpop_jkt' provided in authorization request`
+    });
   }
-  const { signer } = await verifyJwt({
-    signer: {
-      alg: header.alg,
-      method: "jwk",
-      publicJwk: options.clientAttestation.payload.cnf.jwk
-    },
-    now: options.now,
-    header,
-    expectedNonce: options.expectedNonce,
-    payload,
-    compact: options.clientAttestationPopJwt,
-    verifyJwtCallback: options.callbacks.verifyJwt,
-    errorMessage: "client attestation pop jwt verification failed"
-  });
   return {
-    header,
-    payload,
-    signer
+    jwk: verifyDpopResult?.header.jwk,
+    jwkThumbprint: verifyDpopResult?.jwkThumbprint ?? options.jwkThumbprint
   };
 }
-async function createClientAttestationPopJwt(options) {
-  const header = (0, import_utils33.parseWithErrorHandling)(zClientAttestationPopJwtHeader, {
-    typ: "oauth-client-attestation-pop+jwt",
-    alg: options.signer.alg
+
+// src/authorization-challenge/verify-authorization-challenge-request.ts
+async function verifyAuthorizationChallengeRequest(options) {
+  const { clientAttestation, dpop } = await verifyAuthorizationRequest({
+    ...options,
+    authorizationRequest: options.authorizationChallengeRequest
   });
-  const clientAttestation = decodeJwt({
-    jwt: options.clientAttestation,
-    headerSchema: zClientAttestationJwtHeader,
-    payloadSchema: zClientAttestationJwtPayload
+  return {
+    dpop,
+    clientAttestation
+  };
+}
+
+// src/authorization-request/create-pushed-authorization-response.ts
+var import_utils35 = require("@openid4vc/utils");
+function createPushedAuthorizationResponse(options) {
+  const pushedAuthorizationResponse = (0, import_utils35.parseWithErrorHandling)(zPushedAuthorizationResponse, {
+    ...options.additionalPayload,
+    expires_in: options.expiresInSeconds,
+    request_uri: options.requestUri
   });
-  const expiresAt = options.expiresAt ?? (0, import_utils33.addSecondsToDate)(options.issuedAt ?? /* @__PURE__ */ new Date(), 1 * 60);
-  const payload = (0, import_utils33.parseWithErrorHandling)(zClientAttestationPopJwtPayload, {
-    aud: options.authorizationServer,
-    iss: clientAttestation.payload.sub,
-    iat: (0, import_utils33.dateToSeconds)(options.issuedAt),
-    exp: (0, import_utils33.dateToSeconds)(expiresAt),
-    jti: (0, import_utils33.encodeToBase64Url)(await options.callbacks.generateRandom(32)),
-    nonce: options.nonce,
-    ...options.additionalPayload
+  return { pushedAuthorizationResponse };
+}
+function createPushedAuthorizationErrorResponse(options) {
+  const pushedAuthorizationErrorResponse = (0, import_utils35.parseWithErrorHandling)(zAccessTokenErrorResponse, {
+    ...options.additionalPayload,
+    error: options.error,
+    error_description: options.errorDescription
   });
-  const { jwt } = await options.callbacks.signJwt(options.signer, {
-    header,
-    payload
+  return pushedAuthorizationErrorResponse;
+}
+
+// src/authorization-request/parse-pushed-authorization-request.ts
+var import_utils36 = require("@openid4vc/utils");
+function parsePushedAuthorizationRequest(options) {
+  const parsedAuthorizationRequest = zAuthorizationRequest.safeParse(options.authorizationRequest);
+  if (!parsedAuthorizationRequest.success) {
+    throw new Oauth2ServerErrorResponseError({
+      error: "invalid_request" /* InvalidRequest */,
+      error_description: `Error occured during validation of pushed authorization request.
+${(0, import_utils36.formatZodError)(parsedAuthorizationRequest.error)}`
+    });
+  }
+  const authorizationRequest = parsedAuthorizationRequest.data;
+  const { clientAttestation, dpop } = parseAuthorizationRequest({
+    authorizationRequest,
+    request: options.request
   });
-  return jwt;
+  return {
+    authorizationRequest,
+    dpop,
+    clientAttestation
+  };
+}
+
+// src/authorization-request/verify-pushed-authorization-request.ts
+async function verifyPushedAuthorizationRequest(options) {
+  const { clientAttestation, dpop } = await verifyAuthorizationRequest(options);
+  return {
+    dpop,
+    clientAttestation
+  };
 }
 
 // src/Oauth2AuthorizationServer.ts
@@ -2106,7 +2472,7 @@ var Oauth2AuthorizationServer = class {
     this.options = options;
   }
   createAuthorizationServerMetadata(authorizationServerMetadata) {
-    return (0, import_utils34.parseWithErrorHandling)(
+    return (0, import_utils37.parseWithErrorHandling)(
       zAuthorizationServerMetadata,
       authorizationServerMetadata,
       "Error validating authorization server metadata"
@@ -2151,7 +2517,7 @@ var Oauth2AuthorizationServer = class {
       scope: options.scope,
       clientId: options.clientId,
       signer: options.signer,
-      dpopJwk: options.dpopJwk,
+      dpop: options.dpop,
       now: options.now,
       additionalPayload: options.additionalAccessTokenPayload
     });
@@ -2159,23 +2525,47 @@ var Oauth2AuthorizationServer = class {
       accessToken,
       callbacks: this.options.callbacks,
       expiresInSeconds: options.expiresInSeconds,
-      tokenType: options.dpopJwk ? "DPoP" : "Bearer",
+      tokenType: options.dpop ? "DPoP" : "Bearer",
       cNonce: options.cNonce,
       cNonceExpiresIn: options.cNonceExpiresIn,
       additionalPayload: options.additionalAccessTokenResponsePayload
     });
   }
+  /**
+   * Parse a pushed authorization request
+   */
+  parsePushedAuthorizationRequest(options) {
+    return parsePushedAuthorizationRequest(options);
+  }
+  verifyPushedAuthorizationRequest(options) {
+    return verifyPushedAuthorizationRequest({
+      ...options,
+      callbacks: this.options.callbacks
+    });
+  }
+  createPushedAuthorizationResponse(options) {
+    return createPushedAuthorizationResponse(options);
+  }
+  createPushedAuthorizationErrorResponse(options) {
+    return createPushedAuthorizationErrorResponse(options);
+  }
   /**
    * Parse an authorization challenge request
    */
   parseAuthorizationChallengeRequest(options) {
     return parseAuthorizationChallengeRequest(options);
   }
+  verifyAuthorizationChallengeRequest(options) {
+    return verifyAuthorizationChallengeRequest({
+      ...options,
+      callbacks: this.options.callbacks
+    });
+  }
   createAuthorizationChallengeResponse(options) {
     return createAuthorizationChallengeResponse(options);
   }
   /**
-   * Create an authorization challenge error response indicating presentation of credenitals
+   * Create an authorization challenge error response indicating presentation of credentials
    * using OpenID4VP is required before authorization can be granted.
    *
    * The `presentation` parameter should be an OpenID4VP authorization request url.
@@ -2193,34 +2583,26 @@ var Oauth2AuthorizationServer = class {
   createAuthorizationChallengeErrorResponse(options) {
     return createAuthorizationChallengeErrorResponse(options);
   }
-  async verifyClientAttestation({
-    authorizationServer,
-    headers
-  }) {
-    const { clientAttestationHeader, clientAttestationPopHeader } = extractClientAttestationJwtsFromHeaders(headers);
-    const clientAttestation = await verifyClientAttestationJwt({
-      callbacks: this.options.callbacks,
-      clientAttestationJwt: clientAttestationHeader
+  async verifyDpopJwt(options) {
+    return verifyDpopJwt({
+      ...options,
+      callbacks: this.options.callbacks
     });
-    const clientAttestationPop = await verifyClientAttestationPopJwt({
-      callbacks: this.options.callbacks,
-      authorizationServer,
-      clientAttestation,
-      clientAttestationPopJwt: clientAttestationPopHeader
+  }
+  async verifyClientAttestation(options) {
+    return verifyClientAttestation({
+      ...options,
+      callbacks: this.options.callbacks
     });
-    return {
-      clientAttestation,
-      clientAttestationPop
-    };
   }
 };
 
 // src/Oauth2Client.ts
-var import_utils41 = require("@openid4vc/utils");
+var import_utils44 = require("@openid4vc/utils");
 
 // src/access-token/retrieve-access-token.ts
-var import_utils35 = require("@openid4vc/utils");
-var import_utils36 = require("@openid4vc/utils");
+var import_utils38 = require("@openid4vc/utils");
+var import_utils39 = require("@openid4vc/utils");
 async function retrievePreAuthorizedCodeAccessToken(options) {
   const request = {
     grant_type: preAuthorizedCodeGrantIdentifier,
@@ -2234,8 +2616,7 @@ async function retrievePreAuthorizedCodeAccessToken(options) {
     request,
     dpop: options.dpop,
     callbacks: options.callbacks,
-    resource: options.resource,
-    clientAttestation: options.clientAttestation
+    resource: options.resource
   });
 }
 async function retrieveAuthorizationCodeAccessToken(options) {
@@ -2252,8 +2633,7 @@ async function retrieveAuthorizationCodeAccessToken(options) {
     request,
     dpop: options.dpop,
     resource: options.resource,
-    callbacks: options.callbacks,
-    clientAttestation: options.clientAttestation
+    callbacks: options.callbacks
   });
 }
 async function retrieveRefreshTokenAccessToken(options) {
@@ -2268,13 +2648,12 @@ async function retrieveRefreshTokenAccessToken(options) {
     request,
     dpop: options.dpop,
     callbacks: options.callbacks,
-    resource: options.resource,
-    clientAttestation: options.clientAttestation
+    resource: options.resource
   });
 }
 async function retrieveAccessToken(options) {
-  const fetchWithZod = (0, import_utils35.createZodFetcher)(options.callbacks.fetch);
-  const accessTokenRequest = (0, import_utils35.parseWithErrorHandling)(
+  const fetchWithZod = (0, import_utils38.createZodFetcher)(options.callbacks.fetch);
+  const accessTokenRequest = (0, import_utils38.parseWithErrorHandling)(
     zAccessTokenRequest,
     options.request,
     "Error validating access token request"
@@ -2282,11 +2661,6 @@ async function retrieveAccessToken(options) {
   if (accessTokenRequest.tx_code) {
     accessTokenRequest.user_pin = accessTokenRequest.tx_code;
   }
-  const clientAttestation = options.clientAttestation ? await createClientAttestationForRequest({
-    authorizationServer: options.authorizationServerMetadata.issuer,
-    clientAttestation: options.clientAttestation,
-    callbacks: options.callbacks
-  }) : void 0;
   return await authorizationServerRequestWithDpopRetry({
     dpop: options.dpop,
     request: async (dpop) => {
@@ -2299,22 +2673,26 @@ async function retrieveAccessToken(options) {
         callbacks: options.callbacks,
         nonce: dpop.nonce
       }) : void 0;
-      const requestQueryParams = (0, import_utils35.objectToQueryParams)({
-        ...accessTokenRequest,
-        ...clientAttestation?.body
+      const headers = new import_utils38.Headers({
+        "Content-Type": import_utils38.ContentType.XWwwFormUrlencoded,
+        ...dpopHeaders
+      });
+      await options.callbacks.clientAuthentication({
+        url: options.authorizationServerMetadata.token_endpoint,
+        method: "POST",
+        authorizationServerMetadata: options.authorizationServerMetadata,
+        body: accessTokenRequest,
+        contentType: import_utils38.ContentType.XWwwFormUrlencoded,
+        headers
       });
       const { response, result } = await fetchWithZod(
         zAccessTokenResponse,
-        import_utils35.ContentType.Json,
+        import_utils38.ContentType.Json,
         options.authorizationServerMetadata.token_endpoint,
         {
-          body: requestQueryParams.toString(),
+          body: (0, import_utils38.objectToQueryParams)(accessTokenRequest).toString(),
           method: "POST",
-          headers: {
-            "Content-Type": import_utils35.ContentType.XWwwFormUrlencoded,
-            ...clientAttestation?.headers,
-            ...dpopHeaders
-          }
+          headers
         }
       );
       if (!response.ok || !result) {
@@ -2328,7 +2706,7 @@ async function retrieveAccessToken(options) {
             response
           );
         }
-        throw new import_utils36.InvalidFetchResponseError(
+        throw new import_utils39.InvalidFetchResponseError(
           `Unable to retrieve access token from '${options.authorizationServerMetadata.token_endpoint}'. Received response with status ${response.status}`,
           await response.clone().text(),
           response
@@ -2350,10 +2728,10 @@ async function retrieveAccessToken(options) {
 }
 
 // src/authorization-challenge/send-authorization-challenge.ts
-var import_utils37 = require("@openid4vc/utils");
-var import_utils38 = require("@openid4vc/utils");
+var import_utils40 = require("@openid4vc/utils");
+var import_utils41 = require("@openid4vc/utils");
 async function sendAuthorizationChallengeRequest(options) {
-  const fetchWithZod = (0, import_utils37.createZodFetcher)(options.callbacks.fetch);
+  const fetchWithZod = (0, import_utils40.createZodFetcher)(options.callbacks.fetch);
   const authorizationServerMetadata = options.authorizationServerMetadata;
   const authorizationChallengeEndpoint = authorizationServerMetadata.authorization_challenge_endpoint;
   if (!authorizationChallengeEndpoint) {
@@ -2366,21 +2744,14 @@ async function sendAuthorizationChallengeRequest(options) {
     callbacks: options.callbacks,
     codeVerifier: options.pkceCodeVerifier
   }) : void 0;
-  const clientAttestation = options.clientAttestation ? await createClientAttestationForRequest({
-    authorizationServer: options.authorizationServerMetadata.issuer,
-    clientAttestation: options.clientAttestation,
-    callbacks: options.callbacks
-  }) : void 0;
-  const authorizationChallengeRequest = (0, import_utils37.parseWithErrorHandling)(zAuthorizationChallengeRequest, {
+  const authorizationChallengeRequest = (0, import_utils40.parseWithErrorHandling)(zAuthorizationChallengeRequest, {
     ...options.additionalRequestPayload,
     auth_session: options.authSession,
-    client_id: options.clientId,
     scope: options.scope,
     resource: options.resource,
     code_challenge: pkce?.codeChallenge,
     code_challenge_method: pkce?.codeChallengeMethod,
-    presentation_during_issuance_session: options.presentationDuringIssuanceSession,
-    ...clientAttestation?.body
+    presentation_during_issuance_session: options.presentationDuringIssuanceSession
   });
   return authorizationServerRequestWithDpopRetry({
     dpop: options.dpop,
@@ -2394,18 +2765,26 @@ async function sendAuthorizationChallengeRequest(options) {
         callbacks: options.callbacks,
         nonce: dpop.nonce
       }) : void 0;
+      const headers = new import_utils40.Headers({
+        ...dpopHeaders,
+        "Content-Type": import_utils40.ContentType.XWwwFormUrlencoded
+      });
+      await options.callbacks.clientAuthentication({
+        url: authorizationChallengeEndpoint,
+        method: "POST",
+        authorizationServerMetadata: options.authorizationServerMetadata,
+        body: authorizationChallengeRequest,
+        contentType: import_utils40.ContentType.XWwwFormUrlencoded,
+        headers
+      });
       const { response, result } = await fetchWithZod(
         zAuthorizationChallengeResponse,
-        import_utils37.ContentType.Json,
+        import_utils40.ContentType.Json,
         authorizationChallengeEndpoint,
         {
           method: "POST",
-          body: (0, import_utils37.objectToQueryParams)(authorizationChallengeRequest).toString(),
-          headers: {
-            ...clientAttestation?.headers,
-            ...dpopHeaders,
-            "Content-Type": import_utils37.ContentType.XWwwFormUrlencoded
-          }
+          body: (0, import_utils40.objectToQueryParams)(authorizationChallengeRequest).toString(),
+          headers
         }
       );
       if (!response.ok || !result) {
@@ -2419,14 +2798,14 @@ async function sendAuthorizationChallengeRequest(options) {
             response
           );
         }
-        throw new import_utils38.InvalidFetchResponseError(
+        throw new import_utils41.InvalidFetchResponseError(
           `Error requesting authorization code from authorization challenge endpoint '${authorizationServerMetadata.authorization_challenge_endpoint}'. Received response with status ${response.status}`,
           await response.clone().text(),
           response
         );
       }
       if (!result.success) {
-        throw new import_utils37.ValidationError("Error validating authorization challenge response", result.error);
+        throw new import_utils40.ValidationError("Error validating authorization challenge response", result.error);
       }
       const dpopNonce = extractDpopNonceFromHeaders(response.headers) ?? void 0;
       return {
@@ -2442,8 +2821,8 @@ async function sendAuthorizationChallengeRequest(options) {
 }
 
 // src/authorization-request/create-authorization-request.ts
-var import_utils39 = require("@openid4vc/utils");
-var import_utils40 = require("@openid4vc/utils");
+var import_utils42 = require("@openid4vc/utils");
+var import_utils43 = require("@openid4vc/utils");
 async function createAuthorizationRequestUrl(options) {
   const authorizationServerMetadata = options.authorizationServerMetadata;
   const pushedAuthorizationRequestEndpoint = authorizationServerMetadata.pushed_authorization_request_endpoint;
@@ -2475,11 +2854,6 @@ async function createAuthorizationRequestUrl(options) {
         `Authorization server '${authorizationServerMetadata.issuer}' indicated that pushed authorization requests are required, but the 'pushed_authorization_request_endpoint' is missing in the authorization server metadata.`
       );
     }
-    const clientAttestation = options.clientAttestation ? await createClientAttestationForRequest({
-      authorizationServer: options.authorizationServerMetadata.issuer,
-      clientAttestation: options.clientAttestation,
-      callbacks: options.callbacks
-    }) : void 0;
     const { pushedAuthorizationResponse, dpopNonce } = await authorizationServerRequestWithDpopRetry({
       dpop: options.dpop,
       request: async (dpop2) => {
@@ -2493,16 +2867,11 @@ async function createAuthorizationRequestUrl(options) {
           nonce: dpop2.nonce
         }) : void 0;
         return await pushAuthorizationRequest({
-          authorizationRequest: {
-            ...authorizationRequest,
-            ...clientAttestation?.headers
-          },
+          authorizationServerMetadata,
+          authorizationRequest,
           pushedAuthorizationRequestEndpoint,
-          fetch: options.callbacks.fetch,
-          headers: {
-            ...clientAttestation?.headers,
-            ...dpopHeaders
-          }
+          callbacks: options.callbacks,
+          headers: dpopHeaders
         });
       }
     });
@@ -2525,7 +2894,7 @@ async function createAuthorizationRequestUrl(options) {
       });
     }
   }
-  const authorizationRequestUrl = `${authorizationServerMetadata.authorization_endpoint}?${(0, import_utils39.objectToQueryParams)(pushedAuthorizationRequest ?? authorizationRequest).toString()}`;
+  const authorizationRequestUrl = `${authorizationServerMetadata.authorization_endpoint}?${(0, import_utils42.objectToQueryParams)(pushedAuthorizationRequest ?? authorizationRequest).toString()}`;
   return {
     authorizationRequestUrl,
     pkce,
@@ -2533,23 +2902,32 @@ async function createAuthorizationRequestUrl(options) {
   };
 }
 async function pushAuthorizationRequest(options) {
-  const fetchWithZod = (0, import_utils39.createZodFetcher)(options.fetch);
+  const fetchWithZod = (0, import_utils42.createZodFetcher)(options.callbacks.fetch);
   if (options.authorizationRequest.request_uri) {
     throw new Oauth2Error(
       `Authorization request contains 'request_uri' parameter. This is not allowed for pushed authorization reuqests.`
     );
   }
+  const headers = new import_utils42.Headers({
+    ...options.headers,
+    "Content-Type": import_utils42.ContentType.XWwwFormUrlencoded
+  });
+  await options.callbacks.clientAuthentication({
+    url: options.pushedAuthorizationRequestEndpoint,
+    method: "POST",
+    authorizationServerMetadata: options.authorizationServerMetadata,
+    body: options.authorizationRequest,
+    contentType: import_utils42.ContentType.XWwwFormUrlencoded,
+    headers
+  });
   const { response, result } = await fetchWithZod(
     zPushedAuthorizationResponse,
-    import_utils39.ContentType.Json,
+    import_utils42.ContentType.Json,
     options.pushedAuthorizationRequestEndpoint,
     {
       method: "POST",
-      body: (0, import_utils39.objectToQueryParams)(options.authorizationRequest).toString(),
-      headers: {
-        ...options.headers,
-        "Content-Type": import_utils39.ContentType.XWwwFormUrlencoded
-      }
+      body: (0, import_utils42.objectToQueryParams)(options.authorizationRequest).toString(),
+      headers
     }
   );
   if (!response.ok || !result) {
@@ -2563,7 +2941,7 @@ async function pushAuthorizationRequest(options) {
         response
       );
     }
-    throw new import_utils40.InvalidFetchResponseError(
+    throw new import_utils43.InvalidFetchResponseError(
       `Unable to push authorization request to '${options.pushedAuthorizationRequestEndpoint}'. Received response with status ${response.status}`,
       await response.clone().text(),
       response
@@ -2584,6 +2962,8 @@ var Oauth2Client = class {
   constructor(options) {
     this.options = options;
   }
+  // TODO: add options to provide client metadata / algs supported by the client
+  // so we can find the commonly supported algs and make it easier
   isDpopSupported(options) {
     if (!options.authorizationServerMetadata.dpop_signing_alg_values_supported || options.authorizationServerMetadata.dpop_signing_alg_values_supported.length === 0) {
       return {
@@ -2595,6 +2975,18 @@ var Oauth2Client = class {
       dpopSigningAlgValuesSupported: options.authorizationServerMetadata.dpop_signing_alg_values_supported
     };
   }
+  isClientAttestationSupported(options) {
+    if (!options.authorizationServerMetadata.token_endpoint_auth_methods_supported || !options.authorizationServerMetadata.token_endpoint_auth_methods_supported.includes(
+      "attest_jwt_client_auth" /* ClientAttestationJwt */
+    )) {
+      return {
+        supported: false
+      };
+    }
+    return {
+      supported: true
+    };
+  }
   async fetchAuthorizationServerMetadata(issuer) {
     return fetchAuthorizationServerMetadata(issuer, this.options.callbacks.fetch);
   }
@@ -2622,18 +3014,16 @@ var Oauth2Client = class {
         await this.sendAuthorizationChallengeRequest({
           authorizationServerMetadata: options.authorizationServerMetadata,
           additionalRequestPayload: options.additionalRequestPayload,
-          clientId: options.clientId,
           pkceCodeVerifier: pkce?.codeVerifier,
           scope: options.scope,
           resource: options.resource,
-          clientAttestation: options.clientAttestation,
           dpop: options.dpop
         });
       } catch (error) {
         const isRecoverableError = error instanceof Oauth2ClientAuthorizationChallengeError && error.errorResponse.error === "redirect_to_web" /* RedirectToWeb */;
         if (!isRecoverableError) throw error;
         if (error.errorResponse.request_uri) {
-          const authorizationRequestUrl = `${options.authorizationServerMetadata.authorization_endpoint}?${(0, import_utils41.objectToQueryParams)(
+          const authorizationRequestUrl = `${options.authorizationServerMetadata.authorization_endpoint}?${(0, import_utils44.objectToQueryParams)(
             {
               request_uri: error.errorResponse.request_uri,
               client_id: options.clientId
@@ -2659,7 +3049,6 @@ var Oauth2Client = class {
       scope: options.scope,
       pkceCodeVerifier: pkce?.codeVerifier,
       resource: options.resource,
-      clientAttestation: options.clientAttestation,
       dpop: options.dpop
     });
   }
@@ -2679,7 +3068,6 @@ var Oauth2Client = class {
       scope: options.scope,
       callbacks: this.options.callbacks,
       pkceCodeVerifier: options.pkceCodeVerifier,
-      clientAttestation: options.clientAttestation,
       dpop: options.dpop
     });
   }
@@ -2689,8 +3077,7 @@ var Oauth2Client = class {
     additionalRequestPayload,
     txCode,
     dpop,
-    resource,
-    clientAttestation
+    resource
   }) {
     const result = await retrievePreAuthorizedCodeAccessToken({
       authorizationServerMetadata,
@@ -2702,8 +3089,7 @@ var Oauth2Client = class {
         tx_code: txCode
       },
       callbacks: this.options.callbacks,
-      dpop,
-      clientAttestation
+      dpop
     });
     return result;
   }
@@ -2714,8 +3100,7 @@ var Oauth2Client = class {
     pkceCodeVerifier,
     redirectUri,
     resource,
-    dpop,
-    clientAttestation
+    dpop
   }) {
     const result = await retrieveAuthorizationCodeAccessToken({
       authorizationServerMetadata,
@@ -2725,8 +3110,7 @@ var Oauth2Client = class {
       resource,
       callbacks: this.options.callbacks,
       dpop,
-      redirectUri,
-      clientAttestation
+      redirectUri
     });
     return result;
   }
@@ -2735,8 +3119,7 @@ var Oauth2Client = class {
     additionalRequestPayload,
     refreshToken,
     resource,
-    dpop,
-    clientAttestation
+    dpop
   }) {
     const result = await retrieveRefreshTokenAccessToken({
       authorizationServerMetadata,
@@ -2744,23 +3127,13 @@ var Oauth2Client = class {
       additionalRequestPayload,
       resource,
       callbacks: this.options.callbacks,
-      dpop,
-      clientAttestation
+      dpop
     });
     return result;
   }
   async resourceRequest(options) {
     return resourceRequest(options);
   }
-  /**
-   * @todo move this to another class?
-   */
-  async createClientAttestationJwt(options) {
-    return await createClientAttestationJwt({
-      callbacks: this.options.callbacks,
-      ...options
-    });
-  }
 };
 
 // src/Oauth2ResourceServer.ts
@@ -2792,12 +3165,16 @@ var Oauth2ResourceServer = class {
   Oauth2ServerErrorResponseError,
   PkceCodeChallengeMethod,
   SupportedAuthenticationScheme,
+  SupportedClientAuthenticationMethod,
   authorizationCodeGrantIdentifier,
   calculateJwkThumbprint,
+  clientAuthenticationAnonymous,
+  clientAuthenticationClientAttestationJwt,
   clientAuthenticationClientSecretBasic,
   clientAuthenticationClientSecretPost,
   clientAuthenticationDynamic,
   clientAuthenticationNone,
+  createClientAttestationJwt,
   decodeJwt,
   decodeJwtHeader,
   fetchAuthorizationServerMetadata,