@openid4vc/oauth2 0.3.1-alpha-20251127040522 → 0.4.0-alpha-20251127093634

package/dist/index.cjs

@@ -1,3093 +0,0 @@
-//#region rolldown:runtime
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __copyProps = (to, from, except, desc) => {
-	if (from && typeof from === "object" || typeof from === "function") {
-		for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
-			key = keys[i];
-			if (!__hasOwnProp.call(to, key) && key !== except) {
-				__defProp(to, key, {
-					get: ((k) => from[k]).bind(null, key),
-					enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
-				});
-			}
-		}
-	}
-	return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
-	value: mod,
-	enumerable: true
-}) : target, mod));
-
-//#endregion
-let __openid4vc_utils = require("@openid4vc/utils");
-let zod = require("zod");
-zod = __toESM(zod);
-
-//#region src/callbacks.ts
-/**
-* Supported hashing algorithms
-*
-* Based on https://www.iana.org/assignments/named-information/named-information.xhtml
-*/
-let HashAlgorithm = /* @__PURE__ */ function(HashAlgorithm$1) {
-	HashAlgorithm$1["Sha256"] = "sha-256";
-	HashAlgorithm$1["Sha384"] = "sha-384";
-	HashAlgorithm$1["Sha512"] = "sha-512";
-	return HashAlgorithm$1;
-}({});
-
-//#endregion
-//#region src/error/Oauth2Error.ts
-var Oauth2Error = class extends Error {
-	constructor(message, options) {
-		const errorMessage = message ?? "Unknown error occurred.";
-		const causeMessage = options?.cause instanceof Error ? ` ${options.cause.message}` : options?.cause ? ` ${options?.cause}` : "";
-		super(`${errorMessage}${causeMessage}`);
-		this.cause = options?.cause;
-	}
-};
-
-//#endregion
-//#region src/common/jwk/jwk-thumbprint.ts
-const zJwkThumbprintComponents = zod.default.discriminatedUnion("kty", [
-	zod.default.object({
-		kty: zod.default.literal("EC"),
-		crv: zod.default.string(),
-		x: zod.default.string(),
-		y: zod.default.string()
-	}),
-	zod.default.object({
-		kty: zod.default.literal("OKP"),
-		crv: zod.default.string(),
-		x: zod.default.string()
-	}),
-	zod.default.object({
-		kty: zod.default.literal("RSA"),
-		e: zod.default.string(),
-		n: zod.default.string()
-	}),
-	zod.default.object({
-		kty: zod.default.literal("oct"),
-		k: zod.default.string()
-	})
-]).transform((data) => {
-	if (data.kty === "EC") return {
-		crv: data.crv,
-		kty: data.kty,
-		x: data.x,
-		y: data.y
-	};
-	if (data.kty === "OKP") return {
-		crv: data.crv,
-		kty: data.kty,
-		x: data.x
-	};
-	if (data.kty === "RSA") return {
-		e: data.e,
-		kty: data.kty,
-		n: data.n
-	};
-	if (data.kty === "oct") return {
-		k: data.k,
-		kty: data.kty
-	};
-	throw new Error("Unsupported kty");
-});
-async function calculateJwkThumbprint(options) {
-	const jwkThumbprintComponents = (0, __openid4vc_utils.parseWithErrorHandling)(zJwkThumbprintComponents, options.jwk, `Provided jwk does not match a supported jwk structure. Either the 'kty' is not supported, or required values are missing.`);
-	return (0, __openid4vc_utils.encodeToBase64Url)(await options.hashCallback((0, __openid4vc_utils.decodeUtf8String)(JSON.stringify(jwkThumbprintComponents)), options.hashAlgorithm));
-}
-
-//#endregion
-//#region src/common/jwk/jwks.ts
-/**
-*
-* @param header
-* @param jwks
-*/
-function extractJwkFromJwksForJwt(options) {
-	const jwksForUse = options.jwks.keys.filter(({ use }) => !use || use === options.use);
-	const jwkForKid = options.kid ? jwksForUse.find(({ kid }) => kid === options.kid) : void 0;
-	if (jwkForKid) return jwkForKid;
-	if (jwksForUse.length === 1) return jwksForUse[0];
-	throw new Oauth2Error(`Unable to extract jwk from jwks for use '${options.use}'${options.kid ? `with kid '${options.kid}'.` : ". No kid provided and more than jwk."}`);
-}
-async function isJwkInSet({ jwk, jwks, callbacks }) {
-	const jwkThumbprint = await calculateJwkThumbprint({
-		hashAlgorithm: HashAlgorithm.Sha256,
-		hashCallback: callbacks.hash,
-		jwk
-	});
-	for (const jwkFromSet of jwks) if (await calculateJwkThumbprint({
-		hashAlgorithm: HashAlgorithm.Sha256,
-		hashCallback: callbacks.hash,
-		jwk: jwkFromSet
-	}) === jwkThumbprint) return true;
-	return false;
-}
-
-//#endregion
-//#region src/error/Oauth2JwtParseError.ts
-var Oauth2JwtParseError = class extends Oauth2Error {
-	constructor(message) {
-		super(message ?? "Error parsing jwt");
-	}
-};
-
-//#endregion
-//#region src/common/jwk/z-jwk.ts
-const zJwk = zod.default.object({
-	kty: zod.default.string(),
-	crv: zod.default.optional(zod.default.string()),
-	x: zod.default.optional(zod.default.string()),
-	y: zod.default.optional(zod.default.string()),
-	e: zod.default.optional(zod.default.string()),
-	n: zod.default.optional(zod.default.string()),
-	alg: zod.default.optional(zod.default.string()),
-	d: zod.default.optional(zod.default.string()),
-	dp: zod.default.optional(zod.default.string()),
-	dq: zod.default.optional(zod.default.string()),
-	ext: zod.default.optional(zod.default.boolean()),
-	k: zod.default.optional(zod.default.string()),
-	key_ops: zod.default.optional(zod.default.array(zod.default.string())),
-	kid: zod.default.optional(zod.default.string()),
-	oth: zod.default.optional(zod.default.array(zod.default.object({
-		d: zod.default.optional(zod.default.string()),
-		r: zod.default.optional(zod.default.string()),
-		t: zod.default.optional(zod.default.string())
-	}).loose())),
-	p: zod.default.optional(zod.default.string()),
-	q: zod.default.optional(zod.default.string()),
-	qi: zod.default.optional(zod.default.string()),
-	use: zod.default.optional(zod.default.string()),
-	x5c: zod.default.optional(zod.default.array(zod.default.string())),
-	x5t: zod.default.optional(zod.default.string()),
-	"x5t#S256": zod.default.optional(zod.default.string()),
-	x5u: zod.default.optional(zod.default.string())
-}).loose();
-const zJwkSet = zod.default.object({ keys: zod.default.array(zJwk) }).loose();
-
-//#endregion
-//#region src/common/z-common.ts
-const zAlgValueNotNone = zod.default.string().refine((alg) => alg !== "none", { message: `alg value may not be 'none'` });
-
-//#endregion
-//#region src/common/jwt/z-jwt.ts
-const zCompactJwt = zod.default.string().regex(/^([a-zA-Z0-9-_]+)\.([a-zA-Z0-9-_]+)\.([a-zA-Z0-9-_]+)$/, { message: "Not a valid compact jwt" });
-const zJwtConfirmationPayload = zod.default.object({
-	jwk: zJwk.optional(),
-	jkt: zod.default.string().optional()
-}).loose();
-const zJwtPayload = zod.default.object({
-	iss: zod.default.string().optional(),
-	aud: zod.default.union([zod.default.string(), zod.default.array(zod.default.string())]).optional(),
-	iat: __openid4vc_utils.zInteger.optional(),
-	exp: __openid4vc_utils.zInteger.optional(),
-	nbf: __openid4vc_utils.zInteger.optional(),
-	nonce: zod.default.string().optional(),
-	jti: zod.default.string().optional(),
-	sub: zod.default.string().optional(),
-	cnf: zJwtConfirmationPayload.optional(),
-	status: zod.default.record(zod.default.string(), zod.default.any()).optional(),
-	trust_chain: zod.default.tuple([zod.default.string()], zod.default.string()).optional()
-}).loose();
-const zJwtHeader = zod.default.object({
-	alg: zAlgValueNotNone,
-	typ: zod.default.string().optional(),
-	kid: zod.default.string().optional(),
-	jwk: zJwk.optional(),
-	x5c: zod.default.array(zod.default.string()).optional(),
-	trust_chain: zod.default.tuple([zod.default.string()], zod.default.string()).optional()
-}).loose();
-
-//#endregion
-//#region src/common/jwt/decode-jwt-header.ts
-function decodeJwtHeader(options) {
-	const jwtParts = options.jwt.split(".");
-	if (jwtParts.length <= 2) throw new Oauth2JwtParseError("Jwt is not a valid jwt, unable to decode");
-	let headerJson;
-	try {
-		headerJson = (0, __openid4vc_utils.stringToJsonWithErrorHandling)((0, __openid4vc_utils.encodeToUtf8String)((0, __openid4vc_utils.decodeBase64)(jwtParts[0])), "Unable to parse jwt header to JSON");
-	} catch (error) {
-		throw new Oauth2JwtParseError(`Error parsing JWT. ${error instanceof Error ? error.message : ""}`);
-	}
-	return { header: (0, __openid4vc_utils.parseWithErrorHandling)(options.headerSchema ?? zJwtHeader, headerJson) };
-}
-
-//#endregion
-//#region src/common/jwt/decode-jwt.ts
-function decodeJwt(options) {
-	const jwtParts = options.jwt.split(".");
-	if (jwtParts.length !== 3) throw new Oauth2JwtParseError("Jwt is not a valid jwt, unable to decode");
-	let payloadJson;
-	try {
-		payloadJson = (0, __openid4vc_utils.stringToJsonWithErrorHandling)((0, __openid4vc_utils.encodeToUtf8String)((0, __openid4vc_utils.decodeBase64)(jwtParts[1])), "Unable to parse jwt payload to JSON");
-	} catch (error) {
-		throw new Oauth2JwtParseError(`Error parsing JWT. ${error instanceof Error ? error.message : ""}`);
-	}
-	const { header } = decodeJwtHeader({
-		jwt: options.jwt,
-		headerSchema: options.headerSchema
-	});
-	return {
-		header,
-		payload: (0, __openid4vc_utils.parseWithErrorHandling)(options.payloadSchema ?? zJwtPayload, payloadJson),
-		signature: jwtParts[2],
-		compact: options.jwt
-	};
-}
-function jwtHeaderFromJwtSigner(signer) {
-	if (signer.method === "did") return {
-		alg: signer.alg,
-		kid: signer.didUrl
-	};
-	if (signer.method === "federation") return {
-		alg: signer.alg,
-		kid: signer.kid,
-		trust_chain: signer.trustChain
-	};
-	if (signer.method === "jwk") return {
-		alg: signer.alg,
-		jwk: signer.publicJwk
-	};
-	if (signer.method === "x5c") return {
-		alg: signer.alg,
-		x5c: signer.x5c
-	};
-	return { alg: signer.alg };
-}
-function jwtSignerFromJwt({ header, payload, allowedSignerMethods }) {
-	const found = [];
-	if (header.x5c) found.push({
-		method: "x5c",
-		valid: true,
-		signer: {
-			alg: header.alg,
-			method: "x5c",
-			x5c: header.x5c,
-			kid: header.kid
-		}
-	});
-	if (header.trust_chain) if (!header.kid) found.push({
-		method: "federation",
-		valid: false,
-		error: `When 'trust_chain' is used in jwt header, the 'kid' parameter is required.`
-	});
-	else found.push({
-		method: "federation",
-		valid: true,
-		signer: {
-			alg: header.alg,
-			trustChain: header.trust_chain,
-			kid: header.kid,
-			method: "federation"
-		}
-	});
-	if (header.kid?.startsWith("did:") || payload.iss?.startsWith("did:")) if (payload.iss && header.kid?.startsWith("did:") && !header.kid.startsWith(payload.iss)) found.push({
-		method: "did",
-		valid: false,
-		error: `kid in header starts with did that is different from did value in 'iss'`
-	});
-	else if (!header.kid?.startsWith("did:") && !header.kid?.startsWith("#")) found.push({
-		method: "did",
-		valid: false,
-		error: `kid in header must start with either 'did:' or '#' when 'iss' value is a did`
-	});
-	else found.push({
-		method: "did",
-		valid: true,
-		signer: {
-			method: "did",
-			alg: header.alg,
-			didUrl: header.kid.startsWith("did:") ? header.kid : `${payload.iss}${header.kid}`
-		}
-	});
-	if (header.jwk) found.push({
-		method: "jwk",
-		signer: {
-			alg: header.alg,
-			method: "jwk",
-			publicJwk: header.jwk
-		},
-		valid: true
-	});
-	const allowedFoundMethods = found.filter((f) => !allowedSignerMethods || allowedSignerMethods?.includes(f.method));
-	const allowedValidMethods = allowedFoundMethods.filter((f) => f.valid);
-	if (allowedValidMethods.length > 0) return allowedValidMethods[0].signer;
-	if (allowedFoundMethods.length > 0) throw new Oauth2Error(`Unable to extract signer method from jwt. Found ${allowedFoundMethods.length} allowed signer method(s) but contained invalid configuration:\n${allowedFoundMethods.map((m) => m.valid ? "" : `FAILED: method ${m.method} - ${m.error}`).join("\n")}`);
-	if (found.length > 0) throw new Oauth2Error(`Unable to extract signer method from jwt. Found ${found.length} signer method(s) that are not allowed:\n${found.map((m) => m.valid ? `SUCCEEDED: method ${m.method}` : `FAILED: method ${m.method} - ${m.error}`).join("\n")}`);
-	if (!allowedSignerMethods || allowedSignerMethods.includes("custom")) return {
-		method: "custom",
-		alg: header.alg,
-		kid: header.kid
-	};
-	throw new Oauth2Error(`Unable to extract signer method from jwt. Found no signer methods and 'custom' signer method is not allowed.`);
-}
-
-//#endregion
-//#region src/error/Oauth2JwtVerificationError.ts
-var Oauth2JwtVerificationError = class extends Oauth2Error {
-	constructor(message, options) {
-		super(message ?? "Error verifiying jwt.", options);
-	}
-};
-
-//#endregion
-//#region src/common/jwt/verify-jwt.ts
-async function verifyJwt(options) {
-	const errorMessage = options.errorMessage ?? "Error during verification of jwt.";
-	let signerJwk;
-	try {
-		const result = await options.verifyJwtCallback(options.signer, {
-			header: options.header,
-			payload: options.payload,
-			compact: options.compact
-		});
-		if (!result.verified) throw new Oauth2JwtVerificationError(errorMessage);
-		signerJwk = result.signerJwk;
-	} catch (error) {
-		if (error instanceof Oauth2JwtVerificationError) throw error;
-		throw new Oauth2JwtVerificationError(errorMessage, { cause: error });
-	}
-	const nowInSeconds = (0, __openid4vc_utils.dateToSeconds)(options.now ?? /* @__PURE__ */ new Date());
-	const skewInSeconds = options.allowedSkewInSeconds ?? 0;
-	const timeBasedValidation = options.skipTimeBasedValidation !== void 0 ? !options.skipTimeBasedValidation : true;
-	if (timeBasedValidation && options.payload.nbf && nowInSeconds < options.payload.nbf - skewInSeconds) throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nbf' is in the future`);
-	if (timeBasedValidation && options.payload.exp && nowInSeconds > options.payload.exp + skewInSeconds) throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'exp' is in the past`);
-	if (options.expectedAudience) {
-		if (Array.isArray(options.payload.aud) && !options.payload.aud.includes(options.expectedAudience) || typeof options.payload.aud === "string" && options.payload.aud !== options.expectedAudience) throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'aud' does not match expected value.`);
-	}
-	if (options.expectedIssuer && options.expectedIssuer !== options.payload.iss) throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'iss' does not match expected value.`);
-	if (options.expectedNonce && options.expectedNonce !== options.payload.nonce) throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'nonce' does not match expected value.`);
-	if (options.expectedSubject && options.expectedSubject !== options.payload.sub) throw new Oauth2JwtVerificationError(`${errorMessage} jwt 'sub' does not match expected value.`);
-	if (options.requiredClaims) {
-		for (const claim of options.requiredClaims) if (!options.payload[claim]) throw new Oauth2JwtVerificationError(`${errorMessage} jwt '${claim}' is missing.`);
-	}
-	return { signer: {
-		...options.signer,
-		publicJwk: signerJwk
-	} };
-}
-
-//#endregion
-//#region ../utils/src/error/ValidationError.ts
-var ValidationError$1 = class extends Error {
-	constructor(message, zodError) {
-		super(message);
-		this.message = `${message}\n${zodError ? zod.default.prettifyError(zodError) : ""}`;
-		Object.defineProperty(this, "zodError", {
-			value: zodError,
-			writable: false,
-			enumerable: false
-		});
-	}
-};
-
-//#endregion
-//#region src/metadata/fetch-jwks-uri.ts
-/**
-* Fetch JWKs from a provided JWKs URI.
-*
-* Returns validated metadata if successful response
-* Throws error otherwise
-*
-* @throws {ValidationError} if successful response but validation of response failed
-* @throws {InvalidFetchResponseError} if unsuccesful response
-*/
-async function fetchJwks(jwksUrl, fetch) {
-	const { result, response } = await (0, __openid4vc_utils.createZodFetcher)(fetch)(zJwkSet, [__openid4vc_utils.ContentType.JwkSet, __openid4vc_utils.ContentType.Json], jwksUrl);
-	if (!response.ok) throw new __openid4vc_utils.InvalidFetchResponseError(`Fetching JWKs from jwks_uri '${jwksUrl}' resulted in an unsuccessful response with status code '${response.status}'.`, await response.clone().text(), response);
-	if (!result?.success) throw new ValidationError$1(`Validation of JWKs from jwks_uri '${jwksUrl}' failed`, result?.error);
-	return result.data;
-}
-
-//#endregion
-//#region src/access-token/z-access-token-jwt.ts
-const zAccessTokenProfileJwtHeader = zod.default.object({
-	...zJwtHeader.shape,
-	typ: zod.default.enum(["application/at+jwt", "at+jwt"])
-}).loose();
-const zAccessTokenProfileJwtPayload = zod.default.object({
-	...zJwtPayload.shape,
-	iss: zod.default.string(),
-	exp: __openid4vc_utils.zInteger,
-	iat: __openid4vc_utils.zInteger,
-	aud: zod.default.union([zod.default.string(), zod.default.array(zod.default.string())]),
-	sub: zod.default.string(),
-	client_id: zod.default.optional(zod.default.string()),
-	jti: zod.default.string(),
-	scope: zod.default.optional(zod.default.string())
-}).loose();
-
-//#endregion
-//#region src/access-token/verify-access-token.ts
-let SupportedAuthenticationScheme = /* @__PURE__ */ function(SupportedAuthenticationScheme$1) {
-	SupportedAuthenticationScheme$1["Bearer"] = "Bearer";
-	SupportedAuthenticationScheme$1["DPoP"] = "DPoP";
-	return SupportedAuthenticationScheme$1;
-}({});
-/**
-* Verify an access token as a JWT Profile access token.
-*
-* @throws {@link ValidationError} if the JWT header or payload does not align with JWT Profile rules
-* @throws {@link Oauth2JwtParseError} if the jwt is not a valid jwt format, or the jwt header/payload cannot be parsed as JSON
-* @throws {@link Oauth2JwtVerificationError} if the JWT verification fails (signature or nbf/exp)
-* @throws {@link Oauth2JwtVerificationError} if the JWT verification fails (signature or nbf/exp)
-*/
-async function verifyJwtProfileAccessToken(options) {
-	const decodedJwt = decodeJwt({
-		jwt: options.accessToken,
-		headerSchema: zAccessTokenProfileJwtHeader,
-		payloadSchema: zAccessTokenProfileJwtPayload
-	});
-	const authorizationServer = options.authorizationServers.find(({ issuer }) => decodedJwt.payload.iss === issuer);
-	if (!authorizationServer) throw new Oauth2Error(`Access token jwt contains unrecognized authorization server 'iss' value of '${decodedJwt.payload.iss}'`);
-	const jwksUrl = authorizationServer.jwks_uri;
-	if (!jwksUrl) throw new Oauth2Error(`Authorization server '${authorizationServer.issuer}' does not have a 'jwks_uri' parameter to fetch JWKs.`);
-	const jwks = await fetchJwks(jwksUrl, options.callbacks.fetch);
-	const publicJwk = extractJwkFromJwksForJwt({
-		kid: decodedJwt.header.kid,
-		jwks,
-		use: "sig"
-	});
-	await verifyJwt({
-		compact: options.accessToken,
-		header: decodedJwt.header,
-		payload: decodedJwt.payload,
-		signer: {
-			method: "jwk",
-			publicJwk,
-			alg: decodedJwt.header.alg
-		},
-		verifyJwtCallback: options.callbacks.verifyJwt,
-		errorMessage: "Error during verification of access token jwt.",
-		now: options.now,
-		expectedAudience: options.resourceServer
-	});
-	return {
-		header: decodedJwt.header,
-		payload: decodedJwt.payload,
-		authorizationServer
-	};
-}
-
-//#endregion
-//#region src/common/z-oauth2-error.ts
-let Oauth2ErrorCodes = /* @__PURE__ */ function(Oauth2ErrorCodes$1) {
-	Oauth2ErrorCodes$1["ServerError"] = "server_error";
-	Oauth2ErrorCodes$1["InvalidTarget"] = "invalid_target";
-	Oauth2ErrorCodes$1["InvalidRequest"] = "invalid_request";
-	Oauth2ErrorCodes$1["InvalidToken"] = "invalid_token";
-	Oauth2ErrorCodes$1["InsufficientScope"] = "insufficient_scope";
-	Oauth2ErrorCodes$1["InvalidGrant"] = "invalid_grant";
-	Oauth2ErrorCodes$1["InvalidClient"] = "invalid_client";
-	Oauth2ErrorCodes$1["UnauthorizedClient"] = "unauthorized_client";
-	Oauth2ErrorCodes$1["UnsupportedGrantType"] = "unsupported_grant_type";
-	Oauth2ErrorCodes$1["InvalidScope"] = "invalid_scope";
-	Oauth2ErrorCodes$1["InvalidDpopProof"] = "invalid_dpop_proof";
-	Oauth2ErrorCodes$1["UseDpopNonce"] = "use_dpop_nonce";
-	Oauth2ErrorCodes$1["RedirectToWeb"] = "redirect_to_web";
-	Oauth2ErrorCodes$1["InvalidSession"] = "invalid_session";
-	Oauth2ErrorCodes$1["InsufficientAuthorization"] = "insufficient_authorization";
-	Oauth2ErrorCodes$1["InvalidCredentialRequest"] = "invalid_credential_request";
-	Oauth2ErrorCodes$1["CredentialRequestDenied"] = "credential_request_denied";
-	Oauth2ErrorCodes$1["InvalidProof"] = "invalid_proof";
-	Oauth2ErrorCodes$1["InvalidNonce"] = "invalid_nonce";
-	Oauth2ErrorCodes$1["InvalidEncryptionParameters"] = "invalid_encryption_parameters";
-	Oauth2ErrorCodes$1["UnknownCredentialConfiguration"] = "unknown_credential_configuration";
-	Oauth2ErrorCodes$1["UnknownCredentialIdentifier"] = "unknown_credential_identifier";
-	Oauth2ErrorCodes$1["InvalidTransactionId"] = "invalid_transaction_id";
-	Oauth2ErrorCodes$1["UnsupportedCredentialType"] = "unsupported_credential_type";
-	Oauth2ErrorCodes$1["UnsupportedCredentialFormat"] = "unsupported_credential_format";
-	Oauth2ErrorCodes$1["InvalidRequestUri"] = "invalid_request_uri";
-	Oauth2ErrorCodes$1["InvalidRequestObject"] = "invalid_request_object";
-	Oauth2ErrorCodes$1["RequestNotSupported"] = "request_not_supported";
-	Oauth2ErrorCodes$1["RequestUriNotSupported"] = "request_uri_not_supported";
-	Oauth2ErrorCodes$1["VpFormatsNotSupported"] = "vp_formats_not_supported";
-	Oauth2ErrorCodes$1["AccessDenied"] = "access_denied";
-	Oauth2ErrorCodes$1["InvalidPresentationDefinitionUri"] = "invalid_presentation_definition_uri";
-	Oauth2ErrorCodes$1["InvalidPresentationDefinitionReference"] = "invalid_presentation_definition_reference";
-	Oauth2ErrorCodes$1["InvalidRequestUriMethod"] = "invalid_request_uri_method";
-	Oauth2ErrorCodes$1["InvalidTransactionData"] = "invalid_transaction_data";
-	Oauth2ErrorCodes$1["WalletUnavailable"] = "wallet_unavailable";
-	return Oauth2ErrorCodes$1;
-}({});
-const zOauth2ErrorResponse = zod.default.object({
-	error: zod.default.union([zod.default.enum(Oauth2ErrorCodes), zod.default.string()]),
-	error_description: zod.default.string().optional(),
-	error_uri: zod.default.string().optional()
-}).loose();
-
-//#endregion
-//#region src/error/Oauth2ServerErrorResponseError.ts
-var Oauth2ServerErrorResponseError = class extends Oauth2Error {
-	constructor(errorResponse, options) {
-		super(`${options?.internalMessage ?? errorResponse.error_description}\n${JSON.stringify(errorResponse, null, 2)}`, options);
-		this.errorResponse = errorResponse;
-		this.status = options?.status ?? 400;
-	}
-};
-
-//#endregion
-//#region src/common/jwt/z-jwe.ts
-const zCompactJwe = zod.z.string().regex(/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/, { message: "Not a valid compact jwe" });
-
-//#endregion
-//#region src/jar/z-jar-authorization-request.ts
-const zJarAuthorizationRequest = zod.z.object({
-	request: zod.z.optional(zod.z.string()),
-	request_uri: zod.z.optional(__openid4vc_utils.zHttpsUrl),
-	client_id: zod.z.optional(zod.z.string())
-}).loose();
-function validateJarRequestParams(options) {
-	const { jarRequestParams } = options;
-	if (jarRequestParams.request && jarRequestParams.request_uri) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: "request and request_uri cannot both be present in a JAR request"
-	});
-	if (!jarRequestParams.request && !jarRequestParams.request_uri) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: "request or request_uri must be present"
-	});
-	return jarRequestParams;
-}
-function isJarAuthorizationRequest(request) {
-	return "request" in request || "request_uri" in request;
-}
-
-//#endregion
-//#region src/jar/z-jar-request-object.ts
-const zJarRequestObjectPayload = zod.z.object({
-	...zJwtPayload.shape,
-	client_id: zod.z.string()
-}).loose();
-const zSignedAuthorizationRequestJwtHeaderTyp = zod.z.literal("oauth-authz-req+jwt");
-const signedAuthorizationRequestJwtHeaderTyp = zSignedAuthorizationRequestJwtHeaderTyp.value;
-const zJwtAuthorizationRequestJwtHeaderTyp = zod.z.literal("jwt");
-const jwtAuthorizationRequestJwtHeaderTyp = zJwtAuthorizationRequestJwtHeaderTyp.value;
-
-//#endregion
-//#region src/jar/handle-jar-request/verify-jar-request.ts
-/**
-* Parse a JAR (JWT Secured Authorization Request) request by validating and optionally fetch from uri.
-*
-* @param options - The input parameters
-* @param options.jarRequestParams - The JAR authorization request parameters
-* @param options.callbacks - Context containing the relevant Jose crypto operations
-* @returns An object containing the transmission method ('value' or 'reference') and the JWT request object.
-*/
-async function parseJarRequest(options) {
-	const { callbacks } = options;
-	const jarRequestParams = {
-		...validateJarRequestParams(options),
-		...options.jarRequestParams
-	};
-	return {
-		sendBy: jarRequestParams.request ? "value" : "reference",
-		authorizationRequestJwt: jarRequestParams.request ?? await fetchJarRequestObject({
-			requestUri: jarRequestParams.request_uri,
-			fetch: callbacks.fetch
-		})
-	};
-}
-/**
-* Verifies a JAR (JWT Secured Authorization Request) request by validating and verifying signatures.
-*
-* @param options - The input parameters
-* @param options.jarRequestParams - The JAR authorization request parameters
-* @param options.callbacks - Context containing the relevant Jose crypto operations
-* @returns The verified authorization request parameters and metadata
-*/
-async function verifyJarRequest(options) {
-	const { jarRequestParams, authorizationRequestJwt, callbacks, jwtSigner } = options;
-	if (zCompactJwe.safeParse(authorizationRequestJwt).success) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: "Encrypted JWE request objects are not supported."
-	});
-	if (!zCompactJwt.safeParse(authorizationRequestJwt).success) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: "JAR request object is not a valid JWT."
-	});
-	const { authorizationRequestPayload, signer, jwt } = await verifyJarRequestObject({
-		authorizationRequestJwt,
-		callbacks,
-		jwtSigner
-	});
-	if (!authorizationRequestPayload.client_id) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: "Jar Request Object is missing the required \"client_id\" field."
-	});
-	if (jarRequestParams.client_id !== authorizationRequestPayload.client_id) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequest,
-		error_description: "client_id does not match the request object client_id."
-	});
-	return {
-		jwt,
-		authorizationRequestPayload,
-		signer
-	};
-}
-async function fetchJarRequestObject(options) {
-	const { requestUri, fetch } = options;
-	const response = await (0, __openid4vc_utils.createFetcher)(fetch)(requestUri, {
-		method: "get",
-		headers: {
-			Accept: `${__openid4vc_utils.ContentType.OAuthAuthorizationRequestJwt}, ${__openid4vc_utils.ContentType.Jwt};q=0.9, text/plain`,
-			"Content-Type": __openid4vc_utils.ContentType.XWwwFormUrlencoded
-		}
-	}).catch(() => {
-		throw new Oauth2ServerErrorResponseError({
-			error_description: `Fetching request_object from request_uri '${requestUri}' failed`,
-			error: Oauth2ErrorCodes.InvalidRequestUri
-		});
-	});
-	if (!response.ok) throw new Oauth2ServerErrorResponseError({
-		error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,
-		error: Oauth2ErrorCodes.InvalidRequestUri
-	});
-	return await response.text();
-}
-async function verifyJarRequestObject(options) {
-	const { authorizationRequestJwt, callbacks, jwtSigner } = options;
-	const jwt = decodeJwt({
-		jwt: authorizationRequestJwt,
-		payloadSchema: zJarRequestObjectPayload
-	});
-	const { signer } = await verifyJwt({
-		verifyJwtCallback: callbacks.verifyJwt,
-		compact: authorizationRequestJwt,
-		header: jwt.header,
-		payload: jwt.payload,
-		signer: jwtSigner
-	});
-	if (jwt.header.typ !== signedAuthorizationRequestJwtHeaderTyp && jwt.header.typ !== jwtAuthorizationRequestJwtHeaderTyp) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: `Invalid Jar Request Object typ header. Expected "oauth-authz-req+jwt" or "jwt", received "${jwt.header.typ}".`
-	});
-	return {
-		signer,
-		jwt,
-		authorizationRequestPayload: jwt.payload
-	};
-}
-
-//#endregion
-//#region src/client-attestation/z-client-attestation.ts
-const zOauthClientAttestationHeader = zod.default.literal("OAuth-Client-Attestation");
-const oauthClientAttestationHeader = zOauthClientAttestationHeader.value;
-const zClientAttestationJwtPayload = zod.default.object({
-	...zJwtPayload.shape,
-	iss: zod.default.string(),
-	sub: zod.default.string(),
-	exp: __openid4vc_utils.zInteger,
-	cnf: zod.default.object({ jwk: zJwk }).loose(),
-	wallet_name: zod.default.string().optional(),
-	wallet_link: zod.default.url().optional()
-}).loose();
-const zClientAttestationJwtHeader = zod.default.object({
-	...zJwtHeader.shape,
-	typ: zod.default.literal("oauth-client-attestation+jwt")
-}).loose();
-const zOauthClientAttestationPopHeader = zod.default.literal("OAuth-Client-Attestation-PoP");
-const oauthClientAttestationPopHeader = zOauthClientAttestationPopHeader.value;
-const zClientAttestationPopJwtPayload = zod.default.object({
-	...zJwtPayload.shape,
-	iss: zod.default.string(),
-	exp: __openid4vc_utils.zInteger,
-	aud: zod.default.union([__openid4vc_utils.zHttpsUrl, zod.default.array(__openid4vc_utils.zHttpsUrl)]),
-	jti: zod.default.string(),
-	nonce: zod.default.optional(zod.default.string())
-}).loose();
-const zClientAttestationPopJwtHeader = zod.default.object({
-	...zJwtHeader.shape,
-	typ: zod.default.literal("oauth-client-attestation-pop+jwt")
-}).loose();
-
-//#endregion
-//#region src/client-attestation/client-attestation-pop.ts
-async function verifyClientAttestationPopJwt(options) {
-	const { header, payload } = decodeJwt({
-		jwt: options.clientAttestationPopJwt,
-		headerSchema: zClientAttestationPopJwtHeader,
-		payloadSchema: zClientAttestationPopJwtPayload
-	});
-	if (payload.iss !== options.clientAttestation.payload.sub) throw new Oauth2Error(`Client Attestation Pop jwt contains 'iss' (client_id) value '${payload.iss}', but expected 'sub' value from client attestation '${options.clientAttestation.payload.sub}'`);
-	const { signer } = await verifyJwt({
-		signer: {
-			alg: header.alg,
-			method: "jwk",
-			publicJwk: options.clientAttestation.payload.cnf.jwk
-		},
-		now: options.now,
-		header,
-		expectedNonce: options.expectedNonce,
-		payload,
-		expectedAudience: options.authorizationServer,
-		compact: options.clientAttestationPopJwt,
-		verifyJwtCallback: options.callbacks.verifyJwt,
-		errorMessage: "client attestation pop jwt verification failed"
-	});
-	return {
-		header,
-		payload,
-		signer
-	};
-}
-async function createClientAttestationPopJwt(options) {
-	const clientAttestation = decodeJwt({
-		jwt: options.clientAttestation,
-		headerSchema: zClientAttestationJwtHeader,
-		payloadSchema: zClientAttestationJwtPayload
-	});
-	const signer = options.signer ?? {
-		method: "jwk",
-		alg: clientAttestation.header.alg,
-		publicJwk: clientAttestation.payload.cnf.jwk
-	};
-	const header = (0, __openid4vc_utils.parseWithErrorHandling)(zClientAttestationPopJwtHeader, {
-		typ: "oauth-client-attestation-pop+jwt",
-		alg: signer.alg
-	});
-	const expiresAt = options.expiresAt ?? (0, __openid4vc_utils.addSecondsToDate)(options.issuedAt ?? /* @__PURE__ */ new Date(), 60);
-	const payload = (0, __openid4vc_utils.parseWithErrorHandling)(zClientAttestationPopJwtPayload, {
-		aud: options.authorizationServer,
-		iss: clientAttestation.payload.sub,
-		iat: (0, __openid4vc_utils.dateToSeconds)(options.issuedAt),
-		exp: (0, __openid4vc_utils.dateToSeconds)(expiresAt),
-		jti: (0, __openid4vc_utils.encodeToBase64Url)(await options.callbacks.generateRandom(32)),
-		nonce: options.nonce,
-		...options.additionalPayload
-	});
-	const { jwt } = await options.callbacks.signJwt(signer, {
-		header,
-		payload
-	});
-	return jwt;
-}
-
-//#endregion
-//#region src/client-attestation/client-attestation.ts
-async function verifyClientAttestationJwt(options) {
-	const { header, payload } = decodeJwt({
-		jwt: options.clientAttestationJwt,
-		headerSchema: zClientAttestationJwtHeader,
-		payloadSchema: zClientAttestationJwtPayload
-	});
-	const { signer } = await verifyJwt({
-		signer: jwtSignerFromJwt({
-			header,
-			payload
-		}),
-		now: options.now,
-		header,
-		payload,
-		compact: options.clientAttestationJwt,
-		verifyJwtCallback: options.callbacks.verifyJwt,
-		errorMessage: "client attestation jwt verification failed."
-	});
-	return {
-		header,
-		payload,
-		signer
-	};
-}
-async function createClientAttestationJwt(options) {
-	const header = (0, __openid4vc_utils.parseWithErrorHandling)(zClientAttestationJwtHeader, {
-		typ: "oauth-client-attestation+jwt",
-		...jwtHeaderFromJwtSigner(options.signer)
-	});
-	const payload = (0, __openid4vc_utils.parseWithErrorHandling)(zClientAttestationJwtPayload, {
-		iss: options.issuer,
-		iat: (0, __openid4vc_utils.dateToSeconds)(options.issuedAt),
-		exp: (0, __openid4vc_utils.dateToSeconds)(options.expiresAt),
-		sub: options.clientId,
-		cnf: options.confirmation,
-		...options.additionalPayload
-	});
-	const { jwt } = await options.callbacks.signJwt(options.signer, {
-		header,
-		payload
-	});
-	return jwt;
-}
-function extractClientAttestationJwtsFromHeaders(headers) {
-	const clientAttestationHeader = headers.get(oauthClientAttestationHeader);
-	const clientAttestationPopHeader = headers.get(oauthClientAttestationPopHeader);
-	if (!clientAttestationHeader && !clientAttestationPopHeader) return { valid: true };
-	if (!clientAttestationHeader || !clientAttestationPopHeader) return { valid: false };
-	if (!zCompactJwt.safeParse(clientAttestationHeader).success || !zCompactJwt.safeParse(clientAttestationPopHeader).success) return { valid: false };
-	return {
-		valid: true,
-		clientAttestationPopHeader,
-		clientAttestationHeader
-	};
-}
-async function verifyClientAttestation({ authorizationServer, clientAttestationJwt, clientAttestationPopJwt, callbacks, now }) {
-	try {
-		const clientAttestation = await verifyClientAttestationJwt({
-			callbacks,
-			clientAttestationJwt,
-			now
-		});
-		return {
-			clientAttestation,
-			clientAttestationPop: await verifyClientAttestationPopJwt({
-				callbacks,
-				authorizationServer,
-				clientAttestation,
-				clientAttestationPopJwt,
-				now
-			})
-		};
-	} catch (error) {
-		if (error instanceof Oauth2Error) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidClient,
-			error_description: `Error verifying client attestation. ${error.message}`
-		}, {
-			status: 401,
-			cause: error
-		});
-		throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.ServerError,
-			error_description: "Error during verification of client attestation jwt"
-		}, {
-			status: 500,
-			cause: error,
-			internalMessage: "Unknown error thrown during verification of client attestation jwt"
-		});
-	}
-}
-
-//#endregion
-//#region src/dpop/z-dpop.ts
-const zDpopJwtPayload = zod.default.object({
-	...zJwtPayload.shape,
-	iat: __openid4vc_utils.zInteger,
-	htu: __openid4vc_utils.zHttpsUrl,
-	htm: __openid4vc_utils.zHttpMethod,
-	jti: zod.default.string(),
-	ath: zod.default.optional(zod.default.string())
-}).loose();
-const zDpopJwtHeader = zod.default.object({
-	...zJwtHeader.shape,
-	typ: zod.default.literal("dpop+jwt"),
-	jwk: zJwk
-}).loose();
-
-//#endregion
-//#region src/dpop/dpop.ts
-async function createDpopHeadersForRequest(options) {
-	return { DPoP: await createDpopJwt(options) };
-}
-async function createDpopJwt(options) {
-	let ath;
-	if (options.accessToken) ath = (0, __openid4vc_utils.encodeToBase64Url)(await options.callbacks.hash((0, __openid4vc_utils.decodeUtf8String)(options.accessToken), HashAlgorithm.Sha256));
-	const header = (0, __openid4vc_utils.parseWithErrorHandling)(zDpopJwtHeader, {
-		typ: "dpop+jwt",
-		jwk: options.signer.publicJwk,
-		alg: options.signer.alg
-	});
-	const payload = (0, __openid4vc_utils.parseWithErrorHandling)(zDpopJwtPayload, {
-		htu: htuFromRequestUrl(options.request.url),
-		iat: (0, __openid4vc_utils.dateToSeconds)(options.issuedAt),
-		htm: options.request.method,
-		jti: (0, __openid4vc_utils.encodeToBase64Url)(await options.callbacks.generateRandom(32)),
-		ath,
-		nonce: options.nonce,
-		...options.additionalPayload
-	});
-	const { jwt } = await options.callbacks.signJwt(options.signer, {
-		header,
-		payload
-	});
-	return jwt;
-}
-async function verifyDpopJwt(options) {
-	try {
-		const { header, payload } = decodeJwt({
-			jwt: options.dpopJwt,
-			headerSchema: zDpopJwtHeader,
-			payloadSchema: zDpopJwtPayload
-		});
-		if (options.allowedSigningAlgs && !options.allowedSigningAlgs.includes(header.alg)) throw new Oauth2Error(`dpop jwt uses alg value '${header.alg}' but allowed dpop signging alg values are ${options.allowedSigningAlgs.join(", ")}.`);
-		if (options.expectedNonce) {
-			if (!payload.nonce) throw new Oauth2Error(`Dpop jwt does not have a nonce value, but expected nonce value '${options.expectedNonce}'`);
-			if (payload.nonce !== options.expectedNonce) throw new Oauth2Error(`Dpop jwt contains nonce value '${payload.nonce}', but expected nonce value '${options.expectedNonce}'`);
-		}
-		if (options.request.method !== payload.htm) throw new Oauth2Error(`Dpop jwt contains htm value '${payload.htm}', but expected htm value '${options.request.method}'`);
-		const expectedHtu = htuFromRequestUrl(options.request.url);
-		if (expectedHtu !== payload.htu) throw new Oauth2Error(`Dpop jwt contains htu value '${payload.htu}', but expected htu value '${expectedHtu}'.`);
-		if (options.accessToken) {
-			const expectedAth = (0, __openid4vc_utils.encodeToBase64Url)(await options.callbacks.hash((0, __openid4vc_utils.decodeUtf8String)(options.accessToken), HashAlgorithm.Sha256));
-			if (!payload.ath) throw new Oauth2Error(`Dpop jwt does not have a ath value, but expected ath value '${expectedAth}'.`);
-			if (payload.ath !== expectedAth) throw new Oauth2Error(`Dpop jwt contains ath value '${payload.ath}', but expected ath value '${expectedAth}'.`);
-		}
-		const jwkThumbprint = await calculateJwkThumbprint({
-			hashAlgorithm: HashAlgorithm.Sha256,
-			hashCallback: options.callbacks.hash,
-			jwk: header.jwk
-		});
-		if (options.expectedJwkThumbprint && options.expectedJwkThumbprint !== jwkThumbprint) throw new Oauth2Error(`Dpop is signed with jwk with thumbprint value '${jwkThumbprint}', but expect jwk thumbprint value '${options.expectedJwkThumbprint}'`);
-		await verifyJwt({
-			signer: {
-				alg: header.alg,
-				method: "jwk",
-				publicJwk: header.jwk
-			},
-			now: options.now,
-			header,
-			payload,
-			compact: options.dpopJwt,
-			verifyJwtCallback: options.callbacks.verifyJwt,
-			errorMessage: "dpop jwt verification failed"
-		});
-		return {
-			header,
-			payload,
-			jwkThumbprint
-		};
-	} catch (error) {
-		if (error instanceof Oauth2Error) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidDpopProof,
-			error_description: error.message
-		});
-		throw error;
-	}
-}
-function htuFromRequestUrl(requestUrl) {
-	const htu = new __openid4vc_utils.URL(requestUrl);
-	htu.search = "";
-	htu.hash = "";
-	return htu.toString();
-}
-function extractDpopNonceFromHeaders(headers) {
-	return headers.get("DPoP-Nonce");
-}
-function extractDpopJwtFromHeaders(headers) {
-	const dpopJwt = headers.get("DPoP");
-	if (!dpopJwt) return { valid: true };
-	if (!zCompactJwt.safeParse(dpopJwt).success) return { valid: false };
-	return {
-		valid: true,
-		dpopJwt
-	};
-}
-
-//#endregion
-//#region src/authorization-request/parse-authorization-request.ts
-/**
-* Parse an authorization request.
-*
-* @throws {Oauth2ServerErrorResponseError}
-*/
-function parseAuthorizationRequest(options) {
-	const extractedDpopJwt = extractDpopJwtFromHeaders(options.request.headers);
-	if (!extractedDpopJwt.valid) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidDpopProof,
-		error_description: `Request contains a 'DPoP' header, but the value is not a valid DPoP jwt`
-	});
-	const extractedClientAttestationJwts = extractClientAttestationJwtsFromHeaders(options.request.headers);
-	if (!extractedClientAttestationJwts.valid) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidClient,
-		error_description: "Request contains client attestation header, but the values are not valid client attestation and client attestation PoP header."
-	});
-	return {
-		dpop: extractedDpopJwt.dpopJwt ? {
-			jwt: extractedDpopJwt.dpopJwt,
-			jwkThumbprint: options.authorizationRequest.dpop_jkt
-		} : options.authorizationRequest.dpop_jkt ? {
-			jwt: extractedDpopJwt.dpopJwt,
-			jwkThumbprint: options.authorizationRequest.dpop_jkt
-		} : void 0,
-		clientAttestation: extractedClientAttestationJwts.clientAttestationHeader ? {
-			clientAttestationJwt: extractedClientAttestationJwts.clientAttestationHeader,
-			clientAttestationPopJwt: extractedClientAttestationJwts.clientAttestationPopHeader
-		} : void 0
-	};
-}
-
-//#endregion
-//#region src/authorization-request/z-authorization-request.ts
-const zPushedAuthorizationRequestUriPrefix = zod.default.literal("urn:ietf:params:oauth:request_uri:");
-const pushedAuthorizationRequestUriPrefix = zPushedAuthorizationRequestUriPrefix.value;
-const zAuthorizationRequest = zod.default.object({
-	response_type: zod.default.string(),
-	client_id: zod.default.string(),
-	issuer_state: zod.default.optional(zod.default.string()),
-	redirect_uri: zod.default.url().optional(),
-	resource: zod.default.optional(__openid4vc_utils.zHttpsUrl),
-	scope: zod.default.optional(zod.default.string()),
-	state: zod.default.optional(zod.default.string()),
-	dpop_jkt: zod.default.optional(zod.default.base64url()),
-	code_challenge: zod.default.optional(zod.default.string()),
-	code_challenge_method: zod.default.optional(zod.default.string())
-}).loose();
-const zPushedAuthorizationRequest = zod.default.object({
-	request_uri: zod.default.string(),
-	client_id: zod.default.string()
-}).loose();
-const zPushedAuthorizationResponse = zod.default.object({
-	request_uri: zod.default.string(),
-	expires_in: zod.default.number().int()
-}).loose();
-
-//#endregion
-//#region src/authorization-request/parse-pushed-authorization-request.ts
-/**
-* Parse an pushed authorization request.
-*
-* @throws {Oauth2ServerErrorResponseError}
-*/
-async function parsePushedAuthorizationRequest(options) {
-	const parsed = (0, __openid4vc_utils.parseWithErrorHandling)(zod.default.union([zAuthorizationRequest, zJarAuthorizationRequest]), options.authorizationRequest, "Invalid authorization request. Could not parse authorization request or jar.");
-	let parsedAuthorizationRequest;
-	let authorizationRequestJwt;
-	if (isJarAuthorizationRequest(parsed)) {
-		const parsedJar = await parseJarRequest({
-			jarRequestParams: parsed,
-			callbacks: options.callbacks
-		});
-		const jwt = decodeJwt({ jwt: parsedJar.authorizationRequestJwt });
-		parsedAuthorizationRequest = zAuthorizationRequest.safeParse(jwt.payload);
-		if (!parsedAuthorizationRequest.success) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidRequest,
-			error_description: `Invalid authorization request. Could not parse jar request payload.\n${(0, __openid4vc_utils.formatZodError)(parsedAuthorizationRequest.error)}`
-		});
-		authorizationRequestJwt = parsedJar.authorizationRequestJwt;
-	} else {
-		parsedAuthorizationRequest = zAuthorizationRequest.safeParse(options.authorizationRequest);
-		if (!parsedAuthorizationRequest.success) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidRequest,
-			error_description: `Error occurred during validation of pushed authorization request.\n${(0, __openid4vc_utils.formatZodError)(parsedAuthorizationRequest.error)}`
-		});
-	}
-	const authorizationRequest = parsedAuthorizationRequest.data;
-	const { clientAttestation, dpop } = parseAuthorizationRequest({
-		authorizationRequest,
-		request: options.request
-	});
-	return {
-		authorizationRequest,
-		authorizationRequestJwt,
-		dpop,
-		clientAttestation
-	};
-}
-/**
-* Parse a pushed authorization request URI prefixed with `urn:ietf:params:oauth:request_uri:`
-* and returns the identifier, without the prefix.
-*
-* @throws {Oauth2ServerErrorResponseError}
-*/
-function parsePushedAuthorizationRequestUriReferenceValue(options) {
-	if (!options.uri.startsWith(pushedAuthorizationRequestUriPrefix)) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequest,
-		error_description: `The 'request_uri' must start with the prefix "${pushedAuthorizationRequestUriPrefix}".`
-	});
-	return options.uri.substring(pushedAuthorizationRequestUriPrefix.length);
-}
-
-//#endregion
-//#region src/authorization-response/z-authorization-response.ts
-const zAuthorizationResponse = zod.default.object({
-	state: zod.default.string().optional(),
-	code: zod.default.string().nonempty(),
-	error: zod.default.optional(zod.default.never())
-}).loose();
-const zAuthorizationResponseFromUriParams = zod.default.url().transform((url) => Object.fromEntries(new __openid4vc_utils.URL(url).searchParams)).pipe(zAuthorizationResponse);
-const zAuthorizationErrorResponse = zod.default.object({
-	...zOauth2ErrorResponse.shape,
-	state: zod.default.string().optional(),
-	code: zod.default.optional(zod.default.never())
-}).loose();
-
-//#endregion
-//#region src/authorization-response/parse-authorization-response.ts
-/**
-* Parse an authorization response redirect URL.
-*
-* @throws {Oauth2ServerErrorResponseError}
-*/
-function parseAuthorizationResponseRedirectUrl(options) {
-	const searchParams = Object.fromEntries(new __openid4vc_utils.URL(options.url).searchParams);
-	const parsedAuthorizationResponse = zod.default.union([zAuthorizationErrorResponse, zAuthorizationResponse]).safeParse(searchParams);
-	if (!parsedAuthorizationResponse.success) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequest,
-		error_description: `Error occurred during validation of authorization response redirect URL.\n${(0, __openid4vc_utils.formatZodError)(parsedAuthorizationResponse.error)}`
-	});
-	return parsedAuthorizationResponse.data;
-}
-
-//#endregion
-//#region src/z-grant-type.ts
-const zPreAuthorizedCodeGrantIdentifier = zod.default.literal("urn:ietf:params:oauth:grant-type:pre-authorized_code");
-const preAuthorizedCodeGrantIdentifier = zPreAuthorizedCodeGrantIdentifier.value;
-const zAuthorizationCodeGrantIdentifier = zod.default.literal("authorization_code");
-const authorizationCodeGrantIdentifier = zAuthorizationCodeGrantIdentifier.value;
-const zRefreshTokenGrantIdentifier = zod.default.literal("refresh_token");
-const refreshTokenGrantIdentifier = zRefreshTokenGrantIdentifier.value;
-
-//#endregion
-//#region src/client-authentication.ts
-let SupportedClientAuthenticationMethod = /* @__PURE__ */ function(SupportedClientAuthenticationMethod$1) {
-	SupportedClientAuthenticationMethod$1["ClientSecretBasic"] = "client_secret_basic";
-	SupportedClientAuthenticationMethod$1["ClientSecretPost"] = "client_secret_post";
-	SupportedClientAuthenticationMethod$1["ClientAttestationJwt"] = "attest_jwt_client_auth";
-	SupportedClientAuthenticationMethod$1["None"] = "none";
-	return SupportedClientAuthenticationMethod$1;
-}({});
-/**
-* Determine the supported client authentication method based on authorization
-* server metadata
-*/
-function getSupportedClientAuthenticationMethod(authorizationServer, endpointType) {
-	if (endpointType === "introspection" && authorizationServer.introspection_endpoint_auth_methods_supported) {
-		const supportedMethod = authorizationServer.introspection_endpoint_auth_methods_supported.find((m) => Object.values(SupportedClientAuthenticationMethod).includes(m));
-		if (!supportedMethod) throw new Oauth2Error(`Authorization server metadata for issuer '${authorizationServer.issuer}' has 'introspection_endpoint_auth_methods_supported' metadata, but does not contain a supported value. Supported values are '${Object.values(SupportedClientAuthenticationMethod).join(", ")}', found values are '${authorizationServer.introspection_endpoint_auth_methods_supported.join(", ")}'`);
-		return supportedMethod;
-	}
-	if (authorizationServer.token_endpoint_auth_methods_supported) {
-		const supportedMethod = authorizationServer.token_endpoint_auth_methods_supported.find((m) => Object.values(SupportedClientAuthenticationMethod).includes(m));
-		if (!supportedMethod) throw new Oauth2Error(`Authorization server metadata for issuer '${authorizationServer.issuer}' has 'token_endpoint_auth_methods_supported' metadata, but does not contain a supported value. Supported values are '${Object.values(SupportedClientAuthenticationMethod).join(", ")}', found values are '${authorizationServer.token_endpoint_auth_methods_supported.join(", ")}'`);
-		return supportedMethod;
-	}
-	return SupportedClientAuthenticationMethod.ClientSecretBasic;
-}
-/**
-* Dynamicaly get the client authentication method based on endpoint type and authorization server.
-* Only `client_secret_post`, `client_secret_basic`, and `none` supported.
-*
-* It also supports anonymous access to the token endpoint for pre-authorized code flow
-* if the authorization server has enabled `pre-authorized_grant_anonymous_access_supported`
-*/
-function clientAuthenticationDynamic(options) {
-	return (callbackOptions) => {
-		const { url, authorizationServerMetadata, body } = callbackOptions;
-		const endpointType = url === authorizationServerMetadata.introspection_endpoint ? "introspection" : url === authorizationServerMetadata.token_endpoint ? "token" : "endpoint";
-		const method = getSupportedClientAuthenticationMethod(authorizationServerMetadata, endpointType);
-		if (endpointType === "token" && body.grant_type === preAuthorizedCodeGrantIdentifier && authorizationServerMetadata["pre-authorized_grant_anonymous_access_supported"]) return clientAuthenticationAnonymous()(callbackOptions);
-		if (method === SupportedClientAuthenticationMethod.ClientSecretBasic) return clientAuthenticationClientSecretBasic(options)(callbackOptions);
-		if (method === SupportedClientAuthenticationMethod.ClientSecretPost) return clientAuthenticationClientSecretPost(options)(callbackOptions);
-		if (method === SupportedClientAuthenticationMethod.None) return clientAuthenticationNone(options)(callbackOptions);
-		throw new Oauth2Error(`Unsupported client auth method ${method}. Supported values are ${Object.values(SupportedClientAuthenticationMethod).join(", ")}`);
-	};
-}
-/**
-* Client authentication using `client_secret_post` option
-*/
-function clientAuthenticationClientSecretPost(options) {
-	return ({ body }) => {
-		body.client_id = options.clientId;
-		body.client_secret = options.clientSecret;
-	};
-}
-/**
-* Client authentication using `client_secret_basic` option
-*/
-function clientAuthenticationClientSecretBasic(options) {
-	return ({ headers }) => {
-		const authorization = (0, __openid4vc_utils.encodeToBase64Url)((0, __openid4vc_utils.decodeUtf8String)(`${options.clientId}:${options.clientSecret}`));
-		headers.set("Authorization", `Basic ${authorization}`);
-	};
-}
-/**
-* Client authentication using `none` option
-*/
-function clientAuthenticationNone(options) {
-	return ({ body }) => {
-		body.client_id = options.clientId;
-	};
-}
-/**
-* Anonymous client authentication
-*/
-function clientAuthenticationAnonymous() {
-	return () => {};
-}
-/**
-* Client authentication using `attest_jwt_client_auth` option.
-*/
-function clientAuthenticationClientAttestationJwt(options) {
-	return async ({ headers, authorizationServerMetadata }) => {
-		const clientAttestationPop = await createClientAttestationPopJwt({
-			authorizationServer: authorizationServerMetadata.issuer,
-			callbacks: options.callbacks,
-			clientAttestation: options.clientAttestationJwt
-		});
-		headers.set(oauthClientAttestationHeader, options.clientAttestationJwt);
-		headers.set(oauthClientAttestationPopHeader, clientAttestationPop);
-	};
-}
-
-//#endregion
-//#region src/common/algorithm/algorithm-transform.ts
-/**
-* Algorithm transformation utilities for JWA and COSE
-*
-* This module provides utilities to transform between JWA (JSON Web Algorithms)
-* signature algorithm identifiers and fully-specified COSE (CBOR Object Signing and Encryption)
-* algorithm identifiers.
-*
-* Based on RFC 9864: Fully-Specified Algorithms for JOSE and COSE
-* https://www.rfc-editor.org/rfc/rfc9864.html
-*/
-/**
-* JWA (JSON Web Algorithms) signature algorithm identifiers
-*
-* From RFC 7518 (JWA) and RFC 9864 (Fully-Specified Algorithms)
-*/
-var JwaSignatureAlgorithm = /* @__PURE__ */ function(JwaSignatureAlgorithm$1) {
-	JwaSignatureAlgorithm$1["Ed25519"] = "Ed25519";
-	JwaSignatureAlgorithm$1["Ed448"] = "Ed448";
-	JwaSignatureAlgorithm$1["EdDSA"] = "EdDSA";
-	JwaSignatureAlgorithm$1["ES256"] = "ES256";
-	JwaSignatureAlgorithm$1["ES384"] = "ES384";
-	JwaSignatureAlgorithm$1["ES512"] = "ES512";
-	JwaSignatureAlgorithm$1["ES256K"] = "ES256K";
-	JwaSignatureAlgorithm$1["RS256"] = "RS256";
-	JwaSignatureAlgorithm$1["RS384"] = "RS384";
-	JwaSignatureAlgorithm$1["RS512"] = "RS512";
-	JwaSignatureAlgorithm$1["PS256"] = "PS256";
-	JwaSignatureAlgorithm$1["PS384"] = "PS384";
-	JwaSignatureAlgorithm$1["PS512"] = "PS512";
-	return JwaSignatureAlgorithm$1;
-}(JwaSignatureAlgorithm || {});
-/**
-* Mapping of JWA signature algorithm identifiers to fully-specified COSE algorithm identifiers
-*
-* From RFC 9864:
-* - EdDSA algorithms (Section 2.2)
-* - ECDSA algorithms (Section 2.1) - JWA ECDSA algorithms are already fully-specified
-*
-* Note: JWA ECDSA algorithms (ES256, ES384, ES512) are already fully-specified,
-* while COSE ECDSA algorithms with the same names are polymorphic and deprecated.
-* The fully-specified COSE equivalents use different names (ESP256, ESP384, ESP512).
-*/
-const JWA_SIGNATURE_TO_COSE_ALGORITHM_MAP = {
-	[JwaSignatureAlgorithm.Ed25519]: -19,
-	[JwaSignatureAlgorithm.Ed448]: -53,
-	[JwaSignatureAlgorithm.EdDSA]: -19,
-	[JwaSignatureAlgorithm.ES256]: -9,
-	[JwaSignatureAlgorithm.ES384]: -51,
-	[JwaSignatureAlgorithm.ES512]: -52,
-	[JwaSignatureAlgorithm.ES256K]: -47,
-	[JwaSignatureAlgorithm.RS256]: -257,
-	[JwaSignatureAlgorithm.RS384]: -258,
-	[JwaSignatureAlgorithm.RS512]: -259,
-	[JwaSignatureAlgorithm.PS256]: -37,
-	[JwaSignatureAlgorithm.PS384]: -38,
-	[JwaSignatureAlgorithm.PS512]: -39
-};
-/**
-* Mapping of COSE algorithm identifiers to JWA signature algorithm identifiers
-*
-* This is the inverse of JWA_SIGNATURE_TO_COSE_ALGORITHM_MAP, with additional entries
-* for deprecated polymorphic COSE algorithms that should be avoided.
-*/
-const COSE_TO_JWA_SIGNATURE_ALGORITHM_MAP = {
-	[-19]: JwaSignatureAlgorithm.Ed25519,
-	[-53]: JwaSignatureAlgorithm.Ed448,
-	[-8]: JwaSignatureAlgorithm.Ed25519,
-	[-9]: JwaSignatureAlgorithm.ES256,
-	[-51]: JwaSignatureAlgorithm.ES384,
-	[-52]: JwaSignatureAlgorithm.ES512,
-	[-47]: JwaSignatureAlgorithm.ES256K,
-	[-7]: JwaSignatureAlgorithm.ES256,
-	[-35]: JwaSignatureAlgorithm.ES384,
-	[-36]: JwaSignatureAlgorithm.ES512,
-	[-257]: JwaSignatureAlgorithm.RS256,
-	[-258]: JwaSignatureAlgorithm.RS384,
-	[-259]: JwaSignatureAlgorithm.RS512,
-	[-37]: JwaSignatureAlgorithm.PS256,
-	[-38]: JwaSignatureAlgorithm.PS384,
-	[-39]: JwaSignatureAlgorithm.PS512
-};
-/**
-* Transform a JWA signature algorithm identifier to an RFC 9864 fully-specified COSE algorithm identifier
-*
-* @param jwaAlg - JWA signature algorithm identifier (e.g., 'Ed25519', 'ES256')
-* @returns Fully-specified COSE algorithm identifier (e.g., -19, -9) or undefined if not mappable
-*
-* @example
-* ```typescript
-* const coseAlg = jwaSignatureAlgorithmToFullySpecifiedCoseAlgorithm('Ed25519') // Returns -19
-* const coseAlg = jwaSignatureAlgorithmToFullySpecifiedCoseAlgorithm('ES256')   // Returns -9 (ESP256)
-* ```
-*/
-function jwaSignatureAlgorithmToFullySpecifiedCoseAlgorithm(jwaAlg) {
-	return JWA_SIGNATURE_TO_COSE_ALGORITHM_MAP[jwaAlg];
-}
-/**
-* Transform a COSE algorithm identifier (either RFC 9864 fully-specified, or polymorphic) to a JWA signature algorithm identifier
-*
-* @param coseAlg - COSE algorithm identifier (e.g., -19, -9)
-* @returns JWA signature algorithm identifier (e.g., 'Ed25519', 'ES256') or undefined if not mappable
-*
-* @example
-* ```typescript
-* const jwaAlg = fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm(-19) // Returns 'Ed25519'
-* const jwaAlg = fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm(-9)  // Returns 'ES256'
-* const jwaAlg = fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm(-7)  // Returns 'ES256' (deprecated polymorphic COSE ES256)
-* ```
-*/
-function fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm(coseAlg) {
-	return COSE_TO_JWA_SIGNATURE_ALGORITHM_MAP[coseAlg];
-}
-/**
-* Transform an array of JWA signature algorithm identifiers to RFC 9864 fully-specified COSE algorithm identifiers.
-*
-* By default it filters out unmappable algorithms. You can also choose to throw an error when an unknown
-* algorithm is detected.
-*
-* @param jwaAlgs - Array of JWA signature algorithm identifiers
-* @returns Array of fully-specified COSE algorithm identifiers
-*
-* @example
-* ```typescript
-* const coseAlgs = jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray(['Ed25519', 'ES256', 'Unknown'])
-* // Returns [-19, -9]
-* ```
-*/
-function jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray(jwaAlgs, throwOnUnknownValue = false) {
-	return jwaAlgs.map((jwaAlg) => {
-		const coseAlg = jwaSignatureAlgorithmToFullySpecifiedCoseAlgorithm(jwaAlg);
-		if (coseAlg || !throwOnUnknownValue) return coseAlg;
-		throw new Oauth2Error(`Found unknown JWA signature algorithm '${jwaAlg}'. Unable to map to COSE algorithm.`);
-	}).filter((coseAlg) => coseAlg !== void 0);
-}
-/**
-* Transform an array of COSE algorithm identifiers (either RFC 9864 fully-specified or polymorphic) to JWA signature algorithm identifiers
-*
-* By default it filters out unmappable algorithms. You can also choose to throw an error when an unknown
-* algorithm is detected.
-*
-* @param coseAlgs - Array of COSE algorithm identifiers
-* @returns Array of JWA signature algorithm identifiers
-*
-* @example
-* ```typescript
-* const jwaAlgs = fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray([-19, -9, 999])
-* // Returns ['Ed25519', 'ES256']
-* ```
-*/
-function fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray(coseAlgs, throwOnUnknownValue = false) {
-	return coseAlgs.map((coseAlg) => {
-		const jwaAlg = fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm(coseAlg);
-		if (jwaAlg || !throwOnUnknownValue) return jwaAlg;
-		throw new Oauth2Error(`Found unknown COSE algorithm identifier '${coseAlg}'. Unable to map to JWA signature algorithm.`);
-	}).filter((alg) => alg !== void 0);
-}
-
-//#endregion
-//#region src/error/Oauth2ClientErrorResponseError.ts
-var Oauth2ClientErrorResponseError = class extends Oauth2Error {
-	constructor(message, errorResponse, response) {
-		super(`${message}\n${JSON.stringify(errorResponse, null, 2)}`);
-		this.errorResponse = errorResponse;
-		this.response = response.clone();
-	}
-};
-
-//#endregion
-//#region src/error/Oauth2ClientAuthorizationChallengeError.ts
-var Oauth2ClientAuthorizationChallengeError = class extends Oauth2ClientErrorResponseError {
-	constructor(message, errorResponse, response) {
-		super(message, errorResponse, response);
-		this.errorResponse = errorResponse;
-	}
-};
-
-//#endregion
-//#region src/error/Oauth2ResourceUnauthorizedError.ts
-var Oauth2ResourceUnauthorizedError = class Oauth2ResourceUnauthorizedError extends Oauth2Error {
-	constructor(internalMessage, wwwAuthenticateHeaders) {
-		super(`${internalMessage}\n${JSON.stringify(wwwAuthenticateHeaders, null, 2)}`);
-		this.wwwAuthenticateHeaders = Array.isArray(wwwAuthenticateHeaders) ? wwwAuthenticateHeaders : [wwwAuthenticateHeaders];
-	}
-	static fromHeaderValue(value) {
-		return new Oauth2ResourceUnauthorizedError(void 0, (0, __openid4vc_utils.parseWwwAuthenticateHeader)(value).map(({ scheme, payload: { error, error_description, scope, ...additionalPayload } }) => ({
-			scheme,
-			error: Array.isArray(error) ? error.join(",") : error ?? void 0,
-			error_description: Array.isArray(error_description) ? error_description.join(",") : error_description ?? void 0,
-			scope: Array.isArray(scope) ? scope.join(",") : scope ?? void 0,
-			...additionalPayload
-		})));
-	}
-	toHeaderValue() {
-		return (0, __openid4vc_utils.encodeWwwAuthenticateHeader)(this.wwwAuthenticateHeaders.map((header) => ({
-			scheme: header.scheme,
-			payload: {
-				error: header.error ?? null,
-				error_description: header.error_description ?? null,
-				scope: header.scope ?? null,
-				...header.additionalPayload
-			}
-		})));
-	}
-};
-
-//#endregion
-//#region src/id-token/z-id-token-jwt.ts
-const zIdTokenJwtHeader = zod.default.object({ ...zJwtHeader.shape }).loose();
-const zIdTokenJwtPayload = zod.default.object({
-	...zJwtPayload.shape,
-	iss: zod.default.string(),
-	sub: zod.default.string(),
-	aud: zod.default.union([zod.default.string(), zod.default.array(zod.default.string())]),
-	exp: __openid4vc_utils.zInteger,
-	iat: __openid4vc_utils.zInteger,
-	auth_time: __openid4vc_utils.zInteger.optional(),
-	acr: zod.default.string().optional(),
-	amr: zod.default.array(zod.default.string()).optional(),
-	azp: zod.default.string().optional(),
-	name: zod.default.string().optional(),
-	given_name: zod.default.string().optional(),
-	family_name: zod.default.string().optional(),
-	middle_name: zod.default.string().optional(),
-	nickname: zod.default.string().optional(),
-	preferred_username: zod.default.string().optional(),
-	profile: zod.default.url().optional(),
-	picture: zod.default.url().optional(),
-	website: zod.default.url().optional(),
-	email: zod.default.email().optional(),
-	email_verified: zod.default.boolean().optional(),
-	gender: zod.default.enum(["male", "female"]).or(zod.default.string()).optional(),
-	birthdate: zod.default.iso.date().optional(),
-	zoneinfo: zod.default.string().optional(),
-	locale: zod.default.string().optional(),
-	phone_number: zod.default.string().optional(),
-	phone_number_verified: zod.default.boolean().optional(),
-	address: zod.default.object({
-		formatted: zod.default.string().optional(),
-		street_address: zod.default.string().optional(),
-		locality: zod.default.string().optional(),
-		region: zod.default.string().optional(),
-		postal_code: zod.default.string().optional(),
-		country: zod.default.string().optional()
-	}).loose().optional(),
-	updated_at: __openid4vc_utils.zInteger.optional()
-}).loose();
-
-//#endregion
-//#region src/id-token/verify-id-token.ts
-/**
-* Verify an ID Token JWT.
-*/
-async function verifyIdTokenJwt(options) {
-	const { header, payload } = decodeJwt({
-		jwt: options.idToken,
-		headerSchema: zIdTokenJwtHeader,
-		payloadSchema: zIdTokenJwtPayload
-	});
-	const jwksUrl = options.authorizationServer.jwks_uri;
-	if (!jwksUrl) throw new Oauth2Error(`Authorization server '${options.authorizationServer.issuer}' does not have a 'jwks_uri' parameter to fetch JWKs.`);
-	if (payload.iss !== options.authorizationServer.issuer) throw new Oauth2Error(`Invalid 'iss' claim in id token jwt. Expected '${options.authorizationServer.issuer}', got '${payload.iss}'.`);
-	if (payload.azp && payload.azp !== options.clientId) throw new Oauth2Error(`Invalid 'azp' claim in id token jwt. Expected '${options.clientId}', got '${payload.azp}'.`);
-	const jwks = await fetchJwks(jwksUrl, options.callbacks.fetch);
-	const publicJwk = extractJwkFromJwksForJwt({
-		kid: header.kid,
-		jwks,
-		use: "sig"
-	});
-	await verifyJwt({
-		compact: options.idToken,
-		header,
-		payload,
-		signer: {
-			method: "jwk",
-			publicJwk,
-			alg: header.alg
-		},
-		verifyJwtCallback: options.callbacks.verifyJwt,
-		errorMessage: "Error during verification of id token jwt.",
-		now: options.now,
-		expectedAudience: options.clientId,
-		expectedIssuer: options.authorizationServer.issuer,
-		expectedNonce: options.expectedNonce
-	});
-	return {
-		header,
-		payload
-	};
-}
-
-//#endregion
-//#region src/jar/create-jar-authorization-request.ts
-/**
-* Creates a JAR (JWT Authorization Request) request object.
-*
-* @param options - The input parameters
-* @param options.authorizationRequestPayload - The authorization request parameters
-* @param options.jwtSigner - The JWT signer
-* @param options.jweEncryptor - The JWE encryptor (optional) if provided, the request object will be encrypted
-* @param options.requestUri - The request URI (optional) if provided, the request object needs to be fetched from the URI
-* @param options.callbacks - The callback context
-* @returns the requestParams, signerJwk, encryptionJwk, and requestObjectJwt
-*/
-async function createJarAuthorizationRequest(options) {
-	const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options;
-	let authorizationRequestJwt;
-	let encryptionJwk;
-	const now = options.now ?? /* @__PURE__ */ new Date();
-	const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {
-		header: {
-			...jwtHeaderFromJwtSigner(jwtSigner),
-			typ: "oauth-authz-req+jwt"
-		},
-		payload: {
-			iat: (0, __openid4vc_utils.dateToSeconds)(now),
-			exp: (0, __openid4vc_utils.dateToSeconds)((0, __openid4vc_utils.addSecondsToDate)(now, options.expiresInSeconds)),
-			...options.additionalJwtPayload,
-			...authorizationRequestPayload
-		}
-	});
-	authorizationRequestJwt = jwt;
-	if (jweEncryptor) {
-		const encryptionResult = await callbacks.encryptJwe(jweEncryptor, authorizationRequestJwt);
-		authorizationRequestJwt = encryptionResult.jwe;
-		encryptionJwk = encryptionResult.encryptionJwk;
-	}
-	const client_id = authorizationRequestPayload.client_id;
-	return {
-		jarAuthorizationRequest: requestUri ? {
-			client_id,
-			request_uri: requestUri
-		} : {
-			client_id,
-			request: authorizationRequestJwt
-		},
-		signerJwk,
-		encryptionJwk,
-		authorizationRequestJwt
-	};
-}
-
-//#endregion
-//#region src/metadata/fetch-well-known-metadata.ts
-/**
-* Fetch well known metadata and validate the response.
-*
-* Returns null if 404 is returned
-* Returns validated metadata if successful response
-* Throws error otherwise
-*
-* @throws {ValidationError} if successful response but validation of response failed
-* @throws {InvalidFetchResponseError} if no successful or 404 response
-* @throws {Error} if parsing json from response fails
-*/
-async function fetchWellKnownMetadata(wellKnownMetadataUrl, schema, options) {
-	const { result, response } = await (0, __openid4vc_utils.createZodFetcher)(options?.fetch)(schema, options?.acceptedContentType ?? [__openid4vc_utils.ContentType.Json], wellKnownMetadataUrl);
-	if (response.status === 404) return null;
-	if (!response.ok) throw new __openid4vc_utils.InvalidFetchResponseError(`Fetching well known metadata from '${wellKnownMetadataUrl}' resulted in an unsuccessful response with status '${response.status}'.`, await response.clone().text(), response);
-	if (!result?.success) throw new ValidationError$1(`Validation of metadata from '${wellKnownMetadataUrl}' failed`, result?.error);
-	return result.data;
-}
-
-//#endregion
-//#region src/metadata/authorization-server/z-authorization-server-metadata.ts
-const knownClientAuthenticationMethod = zod.default.enum([
-	"client_secret_basic",
-	"client_secret_post",
-	"attest_jwt_client_auth",
-	"client_secret_jwt",
-	"private_key_jwt"
-]);
-const zAuthorizationServerMetadata = zod.default.object({
-	issuer: __openid4vc_utils.zHttpsUrl,
-	token_endpoint: __openid4vc_utils.zHttpsUrl,
-	token_endpoint_auth_methods_supported: zod.default.optional(zod.default.array(zod.default.union([knownClientAuthenticationMethod, zod.default.string()]))),
-	authorization_endpoint: zod.default.optional(__openid4vc_utils.zHttpsUrl),
-	jwks_uri: zod.default.optional(__openid4vc_utils.zHttpsUrl),
-	grant_types_supported: zod.default.optional(zod.default.array(zod.default.string())),
-	code_challenge_methods_supported: zod.default.optional(zod.default.array(zod.default.string())),
-	dpop_signing_alg_values_supported: zod.default.optional(zod.default.array(zod.default.string())),
-	require_pushed_authorization_requests: zod.default.optional(zod.default.boolean()),
-	pushed_authorization_request_endpoint: zod.default.optional(__openid4vc_utils.zHttpsUrl),
-	introspection_endpoint: zod.default.optional(__openid4vc_utils.zHttpsUrl),
-	introspection_endpoint_auth_methods_supported: zod.default.optional(zod.default.array(zod.default.union([knownClientAuthenticationMethod, zod.default.string()]))),
-	introspection_endpoint_auth_signing_alg_values_supported: zod.default.optional(zod.default.array(zAlgValueNotNone)),
-	authorization_challenge_endpoint: zod.default.optional(__openid4vc_utils.zHttpsUrl),
-	"pre-authorized_grant_anonymous_access_supported": zod.default.optional(zod.default.boolean()),
-	client_attestation_pop_nonce_required: zod.default.boolean().optional()
-}).loose().refine(({ introspection_endpoint_auth_methods_supported: methodsSupported, introspection_endpoint_auth_signing_alg_values_supported: algValuesSupported }) => {
-	if (!methodsSupported) return true;
-	if (!methodsSupported.includes("private_key_jwt") && !methodsSupported.includes("client_secret_jwt")) return true;
-	return algValuesSupported !== void 0 && algValuesSupported.length > 0;
-}, `Metadata value 'introspection_endpoint_auth_signing_alg_values_supported' must be defined if metadata 'introspection_endpoint_auth_methods_supported' value contains values 'private_key_jwt' or 'client_secret_jwt'`);
-
-//#endregion
-//#region src/metadata/authorization-server/authorization-server-metadata.ts
-const wellKnownAuthorizationServerSuffix = ".well-known/oauth-authorization-server";
-const wellKnownOpenIdConfigurationServerSuffix = ".well-known/openid-configuration";
-/**
-* fetch authorization server metadata. It first tries to fetch the oauth-authorization-server metadata. If that returns
-*  a 404, the openid-configuration metadata will be fetched.
-*/
-async function fetchAuthorizationServerMetadata(issuer, fetch) {
-	const parsedIssuerUrl = new __openid4vc_utils.URL(issuer);
-	const openIdConfigurationWellKnownMetadataUrl = (0, __openid4vc_utils.joinUriParts)(issuer, [wellKnownOpenIdConfigurationServerSuffix]);
-	const authorizationServerWellKnownMetadataUrl = (0, __openid4vc_utils.joinUriParts)(parsedIssuerUrl.origin, [wellKnownAuthorizationServerSuffix, parsedIssuerUrl.pathname]);
-	const nonCompliantAuthorizationServerWellKnownMetadataUrl = (0, __openid4vc_utils.joinUriParts)(issuer, [wellKnownAuthorizationServerSuffix]);
-	let authorizationServerResult = await fetchWellKnownMetadata(authorizationServerWellKnownMetadataUrl, zAuthorizationServerMetadata, { fetch });
-	if (!authorizationServerResult && nonCompliantAuthorizationServerWellKnownMetadataUrl !== authorizationServerWellKnownMetadataUrl) authorizationServerResult = await fetchWellKnownMetadata(nonCompliantAuthorizationServerWellKnownMetadataUrl, zAuthorizationServerMetadata, { fetch });
-	if (!authorizationServerResult) authorizationServerResult = await fetchWellKnownMetadata(openIdConfigurationWellKnownMetadataUrl, zAuthorizationServerMetadata, { fetch });
-	if (authorizationServerResult && authorizationServerResult.issuer !== issuer) throw new Oauth2Error(`The 'issuer' parameter '${authorizationServerResult.issuer}' in the well known authorization server metadata at '${authorizationServerWellKnownMetadataUrl}' does not match the provided issuer '${issuer}'.`);
-	return authorizationServerResult;
-}
-function getAuthorizationServerMetadataFromList(authorizationServersMetadata, issuer) {
-	const authorizationServerMetadata = authorizationServersMetadata.find((authorizationServerMetadata$1) => authorizationServerMetadata$1.issuer === issuer);
-	if (!authorizationServerMetadata) throw new Oauth2Error(`Authorization server '${issuer}' not found in list of authorization servers. Available authorization servers are ${authorizationServersMetadata.map((as) => `'${as.issuer}'`).join(", ")}`);
-	return authorizationServerMetadata;
-}
-
-//#endregion
-//#region src/access-token/create-access-token.ts
-/**
-* Create an oauth2 access token conformant with "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
-* @see https://datatracker.ietf.org/doc/html/rfc9068
-*/
-async function createAccessTokenJwt(options) {
-	const header = (0, __openid4vc_utils.parseWithErrorHandling)(zAccessTokenProfileJwtHeader, {
-		...jwtHeaderFromJwtSigner(options.signer),
-		typ: "at+jwt"
-	});
-	const now = options.now ?? /* @__PURE__ */ new Date();
-	const payload = (0, __openid4vc_utils.parseWithErrorHandling)(zAccessTokenProfileJwtPayload, {
-		iat: (0, __openid4vc_utils.dateToSeconds)(now),
-		exp: (0, __openid4vc_utils.dateToSeconds)((0, __openid4vc_utils.addSecondsToDate)(now, options.expiresInSeconds)),
-		aud: options.audience,
-		iss: options.authorizationServer,
-		jti: (0, __openid4vc_utils.encodeToBase64Url)(await options.callbacks.generateRandom(32)),
-		client_id: options.clientId,
-		sub: options.subject,
-		scope: options.scope,
-		cnf: options.dpop ? { jkt: await calculateJwkThumbprint({
-			hashAlgorithm: HashAlgorithm.Sha256,
-			hashCallback: options.callbacks.hash,
-			jwk: options.dpop.jwk
-		}) } : void 0,
-		...options.additionalPayload
-	});
-	const { jwt } = await options.callbacks.signJwt(options.signer, {
-		header,
-		payload
-	});
-	return { jwt };
-}
-
-//#endregion
-//#region src/access-token/z-access-token.ts
-const zAccessTokenRequest = zod.default.intersection(zod.default.object({
-	"pre-authorized_code": zod.default.optional(zod.default.string()),
-	code: zod.default.optional(zod.default.string()),
-	redirect_uri: zod.default.url().optional(),
-	refresh_token: zod.default.optional(zod.default.string()),
-	resource: zod.default.optional(__openid4vc_utils.zHttpsUrl),
-	code_verifier: zod.default.optional(zod.default.string()),
-	grant_type: zod.default.union([
-		zPreAuthorizedCodeGrantIdentifier,
-		zAuthorizationCodeGrantIdentifier,
-		zRefreshTokenGrantIdentifier,
-		zod.default.string()
-	])
-}).loose(), zod.default.object({
-	tx_code: zod.default.optional(zod.default.string()),
-	user_pin: zod.default.optional(zod.default.string())
-}).loose().refine(({ tx_code, user_pin }) => !tx_code || !user_pin || user_pin === tx_code, { message: `If both 'tx_code' and 'user_pin' are present they must match` }).transform(({ tx_code, user_pin, ...rest }) => {
-	return {
-		...rest,
-		...tx_code ?? user_pin ? { tx_code: tx_code ?? user_pin } : {}
-	};
-}));
-const zAccessTokenResponse = zod.default.object({
-	access_token: zod.default.string(),
-	token_type: zod.default.string(),
-	expires_in: zod.default.optional(zod.default.number().int()),
-	scope: zod.default.optional(zod.default.string()),
-	state: zod.default.optional(zod.default.string()),
-	refresh_token: zod.default.optional(zod.default.string()),
-	c_nonce: zod.default.optional(zod.default.string()),
-	c_nonce_expires_in: zod.default.optional(zod.default.number().int()),
-	authorization_details: zod.default.array(zod.default.object({}).loose()).optional()
-}).loose();
-const zAccessTokenErrorResponse = zOauth2ErrorResponse;
-
-//#endregion
-//#region src/access-token/create-access-token-response.ts
-async function createAccessTokenResponse(options) {
-	return (0, __openid4vc_utils.parseWithErrorHandling)(zAccessTokenResponse, {
-		access_token: options.accessToken,
-		refresh_token: options.refreshToken,
-		token_type: options.tokenType,
-		expires_in: options.expiresInSeconds,
-		c_nonce: options.cNonce,
-		c_nonce_expires_in: options.cNonceExpiresIn,
-		...options.additionalPayload
-	});
-}
-
-//#endregion
-//#region src/access-token/parse-access-token-request.ts
-/**
-* Parse access token request and extract the grant specific properties.
-*
-* If something goes wrong, such as the grant is not supported, missing parameters, etc,
-* it will throw `Oauth2ServerErrorResponseError` containing an error response object
-* that can be returned to the client.
-*/
-function parseAccessTokenRequest(options) {
-	const parsedAccessTokenRequest = zAccessTokenRequest.safeParse(options.accessTokenRequest);
-	if (!parsedAccessTokenRequest.success) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequest,
-		error_description: `Error occurred during validation of authorization request.\n${(0, __openid4vc_utils.formatZodError)(parsedAccessTokenRequest.error)}`
-	});
-	const accessTokenRequest = parsedAccessTokenRequest.data;
-	let grant;
-	if (accessTokenRequest.grant_type === preAuthorizedCodeGrantIdentifier) {
-		if (!accessTokenRequest["pre-authorized_code"]) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidRequest,
-			error_description: `Missing required 'pre-authorized_code' for grant type '${preAuthorizedCodeGrantIdentifier}'`
-		});
-		grant = {
-			grantType: preAuthorizedCodeGrantIdentifier,
-			preAuthorizedCode: accessTokenRequest["pre-authorized_code"],
-			txCode: accessTokenRequest.tx_code
-		};
-	} else if (accessTokenRequest.grant_type === authorizationCodeGrantIdentifier) {
-		if (!accessTokenRequest.code) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidRequest,
-			error_description: `Missing required 'code' for grant type '${authorizationCodeGrantIdentifier}'`
-		});
-		grant = {
-			grantType: authorizationCodeGrantIdentifier,
-			code: accessTokenRequest.code
-		};
-	} else if (accessTokenRequest.grant_type === refreshTokenGrantIdentifier) {
-		if (!accessTokenRequest.refresh_token) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidRequest,
-			error_description: `Missing required 'refresh_token' for grant type '${refreshTokenGrantIdentifier}'`
-		});
-		grant = {
-			grantType: refreshTokenGrantIdentifier,
-			refreshToken: accessTokenRequest.refresh_token
-		};
-	} else throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.UnsupportedGrantType,
-		error_description: `The grant type '${accessTokenRequest.grant_type}' is not supported`
-	});
-	const extractedDpopJwt = extractDpopJwtFromHeaders(options.request.headers);
-	if (!extractedDpopJwt.valid) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidDpopProof,
-		error_description: `Request contains a 'DPoP' header, but the value is not a valid DPoP jwt`
-	});
-	const extractedClientAttestationJwts = extractClientAttestationJwtsFromHeaders(options.request.headers);
-	if (!extractedClientAttestationJwts.valid) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidClient,
-		error_description: "Request contains client attestation header, but the values are not valid client attestation and client attestation PoP header."
-	});
-	const pkceCodeVerifier = accessTokenRequest.code_verifier;
-	return {
-		accessTokenRequest,
-		grant,
-		dpop: extractedDpopJwt.dpopJwt ? { jwt: extractedDpopJwt.dpopJwt } : void 0,
-		clientAttestation: extractedClientAttestationJwts.clientAttestationHeader ? {
-			clientAttestationJwt: extractedClientAttestationJwts.clientAttestationHeader,
-			clientAttestationPopJwt: extractedClientAttestationJwts.clientAttestationPopHeader
-		} : void 0,
-		pkceCodeVerifier
-	};
-}
-
-//#endregion
-//#region src/pkce.ts
-let PkceCodeChallengeMethod = /* @__PURE__ */ function(PkceCodeChallengeMethod$1) {
-	PkceCodeChallengeMethod$1["Plain"] = "plain";
-	PkceCodeChallengeMethod$1["S256"] = "S256";
-	return PkceCodeChallengeMethod$1;
-}({});
-async function createPkce(options) {
-	const allowedCodeChallengeMethods = options.allowedCodeChallengeMethods ?? [PkceCodeChallengeMethod.S256, PkceCodeChallengeMethod.Plain];
-	if (allowedCodeChallengeMethods.length === 0) throw new Oauth2Error(`Unable to create PKCE code verifier. 'allowedCodeChallengeMethods' is an empty array.`);
-	const codeChallengeMethod = allowedCodeChallengeMethods.includes(PkceCodeChallengeMethod.S256) ? PkceCodeChallengeMethod.S256 : PkceCodeChallengeMethod.Plain;
-	const codeVerifier = options.codeVerifier ?? (0, __openid4vc_utils.encodeToBase64Url)(await options.callbacks.generateRandom(64));
-	return {
-		codeVerifier,
-		codeChallenge: await calculateCodeChallenge({
-			codeChallengeMethod,
-			codeVerifier,
-			hashCallback: options.callbacks.hash
-		}),
-		codeChallengeMethod
-	};
-}
-async function verifyPkce(options) {
-	const calculatedCodeChallenge = await calculateCodeChallenge({
-		codeChallengeMethod: options.codeChallengeMethod,
-		codeVerifier: options.codeVerifier,
-		hashCallback: options.callbacks.hash
-	});
-	if (options.codeChallenge !== calculatedCodeChallenge) throw new Oauth2Error(`Derived code challenge '${calculatedCodeChallenge}' from code_verifier '${options.codeVerifier}' using code challenge method '${options.codeChallengeMethod}' does not match the expected code challenge.`);
-}
-async function calculateCodeChallenge(options) {
-	if (options.codeChallengeMethod === PkceCodeChallengeMethod.Plain) return options.codeVerifier;
-	if (options.codeChallengeMethod === PkceCodeChallengeMethod.S256) return (0, __openid4vc_utils.encodeToBase64Url)(await options.hashCallback((0, __openid4vc_utils.decodeUtf8String)(options.codeVerifier), HashAlgorithm.Sha256));
-	throw new Oauth2Error(`Unsupported code challenge method ${options.codeChallengeMethod}`);
-}
-
-//#endregion
-//#region src/access-token/verify-access-token-request.ts
-async function verifyPreAuthorizedCodeAccessTokenRequest(options) {
-	if (options.pkce) await verifyAccessTokenRequestPkce(options.pkce, options.callbacks);
-	const dpopResult = options.dpop ? await verifyAccessTokenRequestDpop(options.dpop, options.request, options.callbacks) : void 0;
-	const clientAttestationResult = options.clientAttestation ? await verifyAccessTokenRequestClientAttestation(options.clientAttestation, options.authorizationServerMetadata, options.callbacks, dpopResult?.jwkThumbprint, options.now) : void 0;
-	if (options.grant.preAuthorizedCode !== options.expectedPreAuthorizedCode) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidGrant,
-		error_description: `Invalid 'pre-authorized_code' provided`
-	});
-	if (options.grant.txCode !== options.expectedTxCode) {
-		if (!options.expectedTxCode) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidRequest,
-			error_description: `Request contains 'tx_code' that was not expected`
-		});
-		if (!options.grant.txCode) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidRequest,
-			error_description: `Missing required 'tx_code' in request`
-		});
-		throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidGrant,
-			error_description: `Invalid 'tx_code' provided`
-		});
-	}
-	if (options.preAuthorizedCodeExpiresAt) {
-		const now = options.now ?? /* @__PURE__ */ new Date();
-		if (now.getTime() > options.preAuthorizedCodeExpiresAt.getTime()) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidGrant,
-			error_description: `Expired 'pre-authorized_code' provided`
-		}, { internalMessage: `The provided 'pre-authorized_code' in the request expired at '${options.preAuthorizedCodeExpiresAt.getTime()}', now is '${now.getTime()}'` });
-	}
-	return {
-		dpop: dpopResult,
-		clientAttestation: clientAttestationResult
-	};
-}
-async function verifyAuthorizationCodeAccessTokenRequest(options) {
-	if (options.pkce) await verifyAccessTokenRequestPkce(options.pkce, options.callbacks);
-	const dpopResult = options.dpop ? await verifyAccessTokenRequestDpop(options.dpop, options.request, options.callbacks) : void 0;
-	const clientAttestationResult = options.clientAttestation ? await verifyAccessTokenRequestClientAttestation(options.clientAttestation, options.authorizationServerMetadata, options.callbacks, dpopResult?.jwkThumbprint, options.now) : void 0;
-	if (options.grant.code !== options.expectedCode) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidGrant,
-		error_description: `Invalid 'code' provided`
-	});
-	if (options.codeExpiresAt) {
-		const now = options.now ?? /* @__PURE__ */ new Date();
-		if (now.getTime() > options.codeExpiresAt.getTime()) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidGrant,
-			error_description: `Expired 'code' provided`
-		}, { internalMessage: `The provided 'code' in the request expired at '${options.codeExpiresAt.getTime()}', now is '${now.getTime()}'` });
-	}
-	return {
-		dpop: dpopResult,
-		clientAttestation: clientAttestationResult
-	};
-}
-async function verifyRefreshTokenAccessTokenRequest(options) {
-	if (options.pkce) await verifyAccessTokenRequestPkce(options.pkce, options.callbacks);
-	const dpopResult = options.dpop ? await verifyAccessTokenRequestDpop(options.dpop, options.request, options.callbacks) : void 0;
-	const clientAttestationResult = options.clientAttestation ? await verifyAccessTokenRequestClientAttestation(options.clientAttestation, options.authorizationServerMetadata, options.callbacks, dpopResult?.jwkThumbprint, options.now) : void 0;
-	if (options.grant.refreshToken !== options.expectedRefreshToken) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidGrant,
-		error_description: `Invalid 'refresh_token' provided`
-	});
-	if (options.refreshTokenExpiresAt) {
-		const now = options.now ?? /* @__PURE__ */ new Date();
-		if (now.getTime() > options.refreshTokenExpiresAt.getTime()) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidGrant,
-			error_description: `Expired 'refresh_token' provided`
-		}, { internalMessage: `The provided 'refresh_token' in the request expired at '${options.refreshTokenExpiresAt.getTime()}', now is '${now.getTime()}'` });
-	}
-	return {
-		dpop: dpopResult,
-		clientAttestation: clientAttestationResult
-	};
-}
-async function verifyAccessTokenRequestClientAttestation(options, authorizationServerMetadata, callbacks, dpopJwkThumbprint, now) {
-	if (!options.clientAttestationJwt || !options.clientAttestationPopJwt) {
-		if (!options.required && !options.clientAttestationJwt && !options.clientAttestationPopJwt) return;
-		throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidClient,
-			error_description: `Missing required client attestation parameters in access token request. Make sure to provide the '${oauthClientAttestationHeader}' and '${oauthClientAttestationPopHeader}' header values.`
-		});
-	}
-	const verifiedClientAttestation = await verifyClientAttestation({
-		authorizationServer: authorizationServerMetadata.issuer,
-		callbacks,
-		clientAttestationJwt: options.clientAttestationJwt,
-		clientAttestationPopJwt: options.clientAttestationPopJwt,
-		now
-	});
-	if (options.expectedClientId && options.expectedClientId !== verifiedClientAttestation.clientAttestation.payload.sub) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidClient,
-		error_description: `The client id '${verifiedClientAttestation.clientAttestation.payload.sub}' in the client attestation does not match the client id for the authorization.`
-	}, { status: 401 });
-	if (options.ensureConfirmationKeyMatchesDpopKey && dpopJwkThumbprint) {
-		if (await calculateJwkThumbprint({
-			hashAlgorithm: HashAlgorithm.Sha256,
-			hashCallback: callbacks.hash,
-			jwk: verifiedClientAttestation.clientAttestation.payload.cnf.jwk
-		}) !== dpopJwkThumbprint) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidRequest,
-			error_description: "Expected the DPoP JWK thumbprint value to match the JWK thumbprint of the client attestation confirmation JWK. Ensure both DPoP and client attestation use the same key."
-		}, { status: 401 });
-	}
-	return verifiedClientAttestation;
-}
-async function verifyAccessTokenRequestDpop(options, request, callbacks) {
-	if (options.required && !options.jwt) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidDpopProof,
-		error_description: "Missing required DPoP proof"
-	});
-	if (!options.jwt) return void 0;
-	const { header, jwkThumbprint } = await verifyDpopJwt({
-		callbacks,
-		dpopJwt: options.jwt,
-		request,
-		allowedSigningAlgs: options.allowedSigningAlgs,
-		expectedJwkThumbprint: options.expectedJwkThumbprint
-	});
-	return {
-		jwk: header.jwk,
-		jwkThumbprint
-	};
-}
-async function verifyAccessTokenRequestPkce(options, callbacks) {
-	if (options.codeChallenge && !options.codeVerifier) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequest,
-		error_description: `Missing required 'code_verifier' in access token request`
-	});
-	if (!options.codeVerifier) return null;
-	try {
-		await verifyPkce({
-			callbacks,
-			codeChallenge: options.codeChallenge,
-			codeChallengeMethod: options.codeChallengeMethod,
-			codeVerifier: options.codeVerifier
-		});
-	} catch (error) {
-		if (error instanceof Oauth2Error) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidGrant,
-			error_description: error.message
-		});
-		throw error;
-	}
-}
-
-//#endregion
-//#region src/authorization-challenge/z-authorization-challenge.ts
-const zAuthorizationChallengeRequest = zod.default.object({
-	...zAuthorizationRequest.omit({
-		response_type: true,
-		client_id: true
-	}).shape,
-	client_id: zod.default.optional(zAuthorizationRequest.shape.client_id),
-	auth_session: zod.default.optional(zod.default.string()),
-	presentation_during_issuance_session: zod.default.optional(zod.default.string())
-}).loose();
-const zAuthorizationChallengeResponse = zod.default.object({ authorization_code: zod.default.string() }).loose();
-const zAuthorizationChallengeErrorResponse = zod.default.object({
-	...zOauth2ErrorResponse.shape,
-	auth_session: zod.default.optional(zod.default.string()),
-	request_uri: zod.default.optional(zod.default.string()),
-	expires_in: zod.default.optional(__openid4vc_utils.zInteger),
-	presentation: zod.default.optional(zod.default.string())
-}).loose();
-
-//#endregion
-//#region src/authorization-challenge/create-authorization-challenge-response.ts
-/**
-* Create an authorization challenge response
-*
-* @throws {ValidationError} if an error occurred during verification of the {@link AuthorizationChallengeResponse}
-*/
-function createAuthorizationChallengeResponse(options) {
-	return { authorizationChallengeResponse: (0, __openid4vc_utils.parseWithErrorHandling)(zAuthorizationChallengeResponse, {
-		...options.additionalPayload,
-		authorization_code: options.authorizationCode
-	}) };
-}
-/**
-* Create an authorization challenge error response
-*
-* @throws {ValidationError} if an error occurred during validation of the {@link AuthorizationChallengeErrorResponse}
-*/
-function createAuthorizationChallengeErrorResponse(options) {
-	return (0, __openid4vc_utils.parseWithErrorHandling)(zAuthorizationChallengeErrorResponse, {
-		...options.additionalPayload,
-		error: options.error,
-		error_description: options.errorDescription,
-		auth_session: options.authSession,
-		presentation: options.presentation,
-		request_uri: options.requestUri,
-		expires_in: options.expiresIn
-	});
-}
-
-//#endregion
-//#region src/authorization-challenge/parse-authorization-challenge-request.ts
-/**
-* Parse an authorization challenge request.
-*
-* @throws {Oauth2ServerErrorResponseError}
-*/
-function parseAuthorizationChallengeRequest(options) {
-	const parsedAuthorizationChallengeRequest = zAuthorizationChallengeRequest.safeParse(options.authorizationChallengeRequest);
-	if (!parsedAuthorizationChallengeRequest.success) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequest,
-		error_description: `Error occurred during validation of authorization challenge request.\n${(0, __openid4vc_utils.formatZodError)(parsedAuthorizationChallengeRequest.error)}`
-	});
-	const authorizationChallengeRequest = parsedAuthorizationChallengeRequest.data;
-	const { clientAttestation, dpop } = parseAuthorizationRequest({
-		authorizationRequest: authorizationChallengeRequest,
-		request: options.request
-	});
-	return {
-		authorizationChallengeRequest: parsedAuthorizationChallengeRequest.data,
-		dpop,
-		clientAttestation
-	};
-}
-
-//#endregion
-//#region src/authorization-request/verify-authorization-request.ts
-async function verifyAuthorizationRequest(options) {
-	const dpopResult = options.dpop ? await verifyAuthorizationRequestDpop(options.dpop, options.request, options.callbacks, options.now) : void 0;
-	const clientAttestationResult = options.clientAttestation ? await verifyAuthorizationRequestClientAttestation(options.clientAttestation, options.authorizationServerMetadata, options.callbacks, dpopResult?.jwkThumbprint, options.now, options.authorizationRequest.client_id) : void 0;
-	return {
-		dpop: dpopResult?.jwkThumbprint ? {
-			jwkThumbprint: dpopResult.jwkThumbprint,
-			jwk: dpopResult.jwk
-		} : void 0,
-		clientAttestation: clientAttestationResult
-	};
-}
-async function verifyAuthorizationRequestClientAttestation(options, authorizationServerMetadata, callbacks, dpopJwkThumbprint, now, requestClientId) {
-	if (!options.clientAttestationJwt || !options.clientAttestationPopJwt) {
-		if (!options.required && !options.clientAttestationJwt && !options.clientAttestationPopJwt) return;
-		throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidClient,
-			error_description: `Missing required client attestation parameters in pushed authorization request. Make sure to provide the '${oauthClientAttestationHeader}' and '${oauthClientAttestationPopHeader}' header values.`
-		});
-	}
-	const verifiedClientAttestation = await verifyClientAttestation({
-		authorizationServer: authorizationServerMetadata.issuer,
-		callbacks,
-		clientAttestationJwt: options.clientAttestationJwt,
-		clientAttestationPopJwt: options.clientAttestationPopJwt,
-		now
-	});
-	if (requestClientId && requestClientId !== verifiedClientAttestation.clientAttestation.payload.sub) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidClient,
-		error_description: `The client_id '${requestClientId}' in the request does not match the client id '${verifiedClientAttestation.clientAttestation.payload.sub}' in the client attestation`
-	}, { status: 401 });
-	if (options.ensureConfirmationKeyMatchesDpopKey && dpopJwkThumbprint) {
-		if (await calculateJwkThumbprint({
-			hashAlgorithm: HashAlgorithm.Sha256,
-			hashCallback: callbacks.hash,
-			jwk: verifiedClientAttestation.clientAttestation.payload.cnf.jwk
-		}) !== dpopJwkThumbprint) throw new Oauth2ServerErrorResponseError({
-			error: Oauth2ErrorCodes.InvalidRequest,
-			error_description: "Expected the DPoP JWK thumbprint value to match the JWK thumbprint of the client attestation confirmation JWK. Ensure both DPoP and client attestation use the same key."
-		}, { status: 401 });
-	}
-	return verifiedClientAttestation;
-}
-async function verifyAuthorizationRequestDpop(options, request, callbacks, now) {
-	if (options.required && !options.jwt && !options.jwkThumbprint) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidDpopProof,
-		error_description: `Missing required DPoP parameters in authorization request. Either DPoP header or 'dpop_jkt' is required.`
-	});
-	const verifyDpopResult = options.jwt ? await verifyDpopJwt({
-		callbacks,
-		dpopJwt: options.jwt,
-		request,
-		allowedSigningAlgs: options.allowedSigningAlgs,
-		now
-	}) : void 0;
-	if (options.jwkThumbprint && verifyDpopResult && options.jwkThumbprint !== verifyDpopResult.jwkThumbprint) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidDpopProof,
-		error_description: `DPoP jwk thumbprint does not match with 'dpop_jkt' provided in authorization request`
-	});
-	return {
-		jwk: verifyDpopResult?.header.jwk,
-		jwkThumbprint: verifyDpopResult?.jwkThumbprint ?? options.jwkThumbprint
-	};
-}
-
-//#endregion
-//#region src/authorization-challenge/verify-authorization-challenge-request.ts
-async function verifyAuthorizationChallengeRequest(options) {
-	const { clientAttestation, dpop } = await verifyAuthorizationRequest({
-		...options,
-		authorizationRequest: options.authorizationChallengeRequest
-	});
-	return {
-		dpop,
-		clientAttestation
-	};
-}
-
-//#endregion
-//#region src/authorization-request/create-pushed-authorization-response.ts
-/**
-* Create an pushed authorization response
-*
-* @throws {ValidationError} if an error occurred during verification of the {@link PushedAuthorizationResponse}
-*/
-function createPushedAuthorizationResponse(options) {
-	return { pushedAuthorizationResponse: (0, __openid4vc_utils.parseWithErrorHandling)(zPushedAuthorizationResponse, {
-		...options.additionalPayload,
-		expires_in: options.expiresInSeconds,
-		request_uri: options.requestUri
-	}) };
-}
-/**
-* Create a pushed authorization error response
-*
-* @throws {ValidationError} if an error occurred during validation of the {@link PushedAuthorizationErrorResponse}
-*/
-function createPushedAuthorizationErrorResponse(options) {
-	return (0, __openid4vc_utils.parseWithErrorHandling)(zAccessTokenErrorResponse, {
-		...options.additionalPayload,
-		error: options.error,
-		error_description: options.errorDescription
-	});
-}
-
-//#endregion
-//#region src/authorization-request/verify-pushed-authorization-request.ts
-async function verifyPushedAuthorizationRequest(options) {
-	let jar;
-	if (options.authorizationRequestJwt) jar = await verifyJarRequest({
-		authorizationRequestJwt: options.authorizationRequestJwt.jwt,
-		jarRequestParams: options.authorizationRequest,
-		callbacks: options.callbacks,
-		jwtSigner: options.authorizationRequestJwt.signer
-	});
-	const { clientAttestation, dpop } = await verifyAuthorizationRequest(options);
-	return {
-		dpop,
-		clientAttestation,
-		jar
-	};
-}
-
-//#endregion
-//#region src/Oauth2AuthorizationServer.ts
-var Oauth2AuthorizationServer = class {
-	constructor(options) {
-		this.options = options;
-	}
-	createAuthorizationServerMetadata(authorizationServerMetadata) {
-		return (0, __openid4vc_utils.parseWithErrorHandling)(zAuthorizationServerMetadata, authorizationServerMetadata, "Error validating authorization server metadata");
-	}
-	/**
-	* Parse access token request and extract the grant specific properties.
-	*
-	* If something goes wrong, such as the grant is not supported, missing parameters, etc,
-	* it will throw `Oauth2ServerErrorResponseError` containing an error response object
-	* that can be returned to the client.
-	*/
-	parseAccessTokenRequest(options) {
-		return parseAccessTokenRequest(options);
-	}
-	verifyPreAuthorizedCodeAccessTokenRequest(options) {
-		return verifyPreAuthorizedCodeAccessTokenRequest({
-			...options,
-			callbacks: this.options.callbacks
-		});
-	}
-	verifyAuthorizationCodeAccessTokenRequest(options) {
-		return verifyAuthorizationCodeAccessTokenRequest({
-			...options,
-			callbacks: this.options.callbacks
-		});
-	}
-	verifyRefreshTokenAccessTokenRequest(options) {
-		return verifyRefreshTokenAccessTokenRequest({
-			...options,
-			callbacks: this.options.callbacks
-		});
-	}
-	/**
-	* Create an access token response.
-	*
-	* The `sub` claim can be used to identify the resource owner is subsequent requests.
-	* For pre-auth flow this can be the pre-authorized_code but there are no requirements
-	* on the value.
-	*
-	* To generate a refresh token, set the `refreshToken` option to `true`. You can
-	* also provide a custom refresh token string.
-	*/
-	async createAccessTokenResponse(options) {
-		const { jwt: accessToken } = await createAccessTokenJwt({
-			audience: options.audience,
-			authorizationServer: options.authorizationServer,
-			callbacks: this.options.callbacks,
-			expiresInSeconds: options.expiresInSeconds,
-			subject: options.subject,
-			scope: options.scope,
-			clientId: options.clientId,
-			signer: options.signer,
-			dpop: options.dpop,
-			now: options.now,
-			additionalPayload: options.additionalAccessTokenPayload
-		});
-		return createAccessTokenResponse({
-			accessToken,
-			refreshToken: typeof options.refreshToken === "string" ? options.refreshToken : options.refreshToken ? (0, __openid4vc_utils.encodeToBase64Url)(await this.options.callbacks.generateRandom(32)) : void 0,
-			callbacks: this.options.callbacks,
-			expiresInSeconds: options.expiresInSeconds,
-			tokenType: options.dpop ? "DPoP" : "Bearer",
-			cNonce: options.cNonce,
-			cNonceExpiresIn: options.cNonceExpiresIn,
-			additionalPayload: options.additionalAccessTokenResponsePayload
-		});
-	}
-	/**
-	* Parse a pushed authorization request
-	*/
-	async parsePushedAuthorizationRequest(options) {
-		return await parsePushedAuthorizationRequest({
-			...options,
-			callbacks: this.options.callbacks
-		});
-	}
-	/**
-	* Verify pushed authorization request.
-	*
-	* Make sure to provide the `authorizationRequestJwt` if this was returned in the `parsePushedAuthorizationRequest`
-	*/
-	verifyPushedAuthorizationRequest(options) {
-		return verifyPushedAuthorizationRequest({
-			...options,
-			callbacks: this.options.callbacks
-		});
-	}
-	createPushedAuthorizationResponse(options) {
-		return createPushedAuthorizationResponse(options);
-	}
-	createPushedAuthorizationErrorResponse(options) {
-		return createPushedAuthorizationErrorResponse(options);
-	}
-	/**
-	* Parse an authorization challenge request
-	*/
-	parseAuthorizationChallengeRequest(options) {
-		return parseAuthorizationChallengeRequest(options);
-	}
-	verifyAuthorizationChallengeRequest(options) {
-		return verifyAuthorizationChallengeRequest({
-			...options,
-			callbacks: this.options.callbacks
-		});
-	}
-	createAuthorizationChallengeResponse(options) {
-		return createAuthorizationChallengeResponse(options);
-	}
-	/**
-	* Create an authorization challenge error response indicating presentation of credentials
-	* using OpenID4VP is required before authorization can be granted.
-	*
-	* The `presentation` parameter should be an OpenID4VP authorization request url.
-	* The `authSession` should be used to track the session
-	*/
-	createAuthorizationChallengePresentationErrorResponse(options) {
-		return createAuthorizationChallengeErrorResponse({
-			error: Oauth2ErrorCodes.InsufficientAuthorization,
-			errorDescription: options.errorDescription,
-			additionalPayload: options.additionalPayload,
-			authSession: options.authSession,
-			presentation: options.presentation
-		});
-	}
-	createAuthorizationChallengeErrorResponse(options) {
-		return createAuthorizationChallengeErrorResponse(options);
-	}
-	async verifyDpopJwt(options) {
-		return verifyDpopJwt({
-			...options,
-			callbacks: this.options.callbacks
-		});
-	}
-	async verifyClientAttestation(options) {
-		return verifyClientAttestation({
-			...options,
-			callbacks: this.options.callbacks
-		});
-	}
-};
-
-//#endregion
-//#region src/dpop/dpop-retry.ts
-async function authorizationServerRequestWithDpopRetry(options) {
-	try {
-		return await options.request(options.dpop);
-	} catch (error) {
-		if (options.dpop && error instanceof Oauth2ClientErrorResponseError) {
-			const dpopRetry = shouldRetryAuthorizationServerRequestWithDPoPNonce({
-				responseHeaders: error.response.headers,
-				errorResponse: error.errorResponse
-			});
-			if (dpopRetry.retry) return options.request({
-				...options.dpop,
-				nonce: dpopRetry.dpopNonce
-			});
-		}
-		throw error;
-	}
-}
-function shouldRetryAuthorizationServerRequestWithDPoPNonce(options) {
-	if (options.errorResponse.error !== "use_dpop_nonce") return { retry: false };
-	const dpopNonce = extractDpopNonceFromHeaders(options.responseHeaders);
-	if (!dpopNonce) throw new Oauth2Error(`Error response error contains error 'use_dpop_nonce' but the response headers do not include a valid 'DPoP-Nonce' header value.`);
-	return {
-		retry: true,
-		dpopNonce
-	};
-}
-function shouldRetryResourceRequestWithDPoPNonce(options) {
-	if (!options.resourceUnauthorizedError.wwwAuthenticateHeaders.find((challenge) => challenge.scheme === SupportedAuthenticationScheme.DPoP && challenge.error === Oauth2ErrorCodes.UseDpopNonce)) return { retry: false };
-	const dpopNonce = extractDpopNonceFromHeaders(options.responseHeaders);
-	if (!dpopNonce || typeof dpopNonce !== "string") throw new Oauth2Error(`Resource request error in 'WWW-Authenticate' response header contains error 'use_dpop_nonce' but the response headers do not include a valid 'DPoP-Nonce' value.`);
-	return {
-		retry: true,
-		dpopNonce
-	};
-}
-
-//#endregion
-//#region src/access-token/retrieve-access-token.ts
-async function retrievePreAuthorizedCodeAccessToken(options) {
-	const request = {
-		grant_type: preAuthorizedCodeGrantIdentifier,
-		"pre-authorized_code": options.preAuthorizedCode,
-		tx_code: options.txCode,
-		resource: options.resource,
-		...options.additionalRequestPayload
-	};
-	return retrieveAccessToken({
-		authorizationServerMetadata: options.authorizationServerMetadata,
-		request,
-		dpop: options.dpop,
-		callbacks: options.callbacks,
-		resource: options.resource
-	});
-}
-async function retrieveAuthorizationCodeAccessToken(options) {
-	const request = {
-		grant_type: authorizationCodeGrantIdentifier,
-		code: options.authorizationCode,
-		code_verifier: options.pkceCodeVerifier,
-		redirect_uri: options.redirectUri,
-		resource: options.resource,
-		...options.additionalRequestPayload
-	};
-	return retrieveAccessToken({
-		authorizationServerMetadata: options.authorizationServerMetadata,
-		request,
-		dpop: options.dpop,
-		resource: options.resource,
-		callbacks: options.callbacks
-	});
-}
-async function retrieveRefreshTokenAccessToken(options) {
-	const request = {
-		grant_type: refreshTokenGrantIdentifier,
-		refresh_token: options.refreshToken,
-		resource: options.resource,
-		...options.additionalRequestPayload
-	};
-	return retrieveAccessToken({
-		authorizationServerMetadata: options.authorizationServerMetadata,
-		request,
-		dpop: options.dpop,
-		callbacks: options.callbacks,
-		resource: options.resource
-	});
-}
-/**
-* Internal method
-*/
-async function retrieveAccessToken(options) {
-	const fetchWithZod = (0, __openid4vc_utils.createZodFetcher)(options.callbacks.fetch);
-	const accessTokenRequest = (0, __openid4vc_utils.parseWithErrorHandling)(zAccessTokenRequest, options.request, "Error validating access token request");
-	if (accessTokenRequest.tx_code) accessTokenRequest.user_pin = accessTokenRequest.tx_code;
-	return await authorizationServerRequestWithDpopRetry({
-		dpop: options.dpop,
-		request: async (dpop) => {
-			const dpopHeaders = dpop ? await createDpopHeadersForRequest({
-				request: {
-					method: "POST",
-					url: options.authorizationServerMetadata.token_endpoint
-				},
-				signer: dpop.signer,
-				callbacks: options.callbacks,
-				nonce: dpop.nonce
-			}) : void 0;
-			const headers = new __openid4vc_utils.Headers({
-				"Content-Type": __openid4vc_utils.ContentType.XWwwFormUrlencoded,
-				...dpopHeaders
-			});
-			await options.callbacks.clientAuthentication({
-				url: options.authorizationServerMetadata.token_endpoint,
-				method: "POST",
-				authorizationServerMetadata: options.authorizationServerMetadata,
-				body: accessTokenRequest,
-				contentType: __openid4vc_utils.ContentType.XWwwFormUrlencoded,
-				headers
-			});
-			const { response, result } = await fetchWithZod(zAccessTokenResponse, __openid4vc_utils.ContentType.Json, options.authorizationServerMetadata.token_endpoint, {
-				body: (0, __openid4vc_utils.objectToQueryParams)(accessTokenRequest).toString(),
-				method: "POST",
-				headers
-			});
-			if (!response.ok || !result) {
-				const tokenErrorResponse = zAccessTokenErrorResponse.safeParse(await response.clone().json().catch(() => null));
-				if (tokenErrorResponse.success) throw new Oauth2ClientErrorResponseError(`Unable to retrieve access token from '${options.authorizationServerMetadata.token_endpoint}'. Received token error response with status ${response.status}`, tokenErrorResponse.data, response);
-				throw new __openid4vc_utils.InvalidFetchResponseError(`Unable to retrieve access token from '${options.authorizationServerMetadata.token_endpoint}'. Received response with status ${response.status}`, await response.clone().text(), response);
-			}
-			if (!result.success) throw new ValidationError$1("Error validating access token response", result.error);
-			const dpopNonce = extractDpopNonceFromHeaders(response.headers) ?? void 0;
-			return {
-				dpop: dpop ? {
-					...dpop,
-					nonce: dpopNonce
-				} : void 0,
-				accessTokenResponse: result.data
-			};
-		}
-	});
-}
-
-//#endregion
-//#region src/authorization-challenge/send-authorization-challenge.ts
-/**
-* Send an authorization challenge request.
-*
-* @throws {Oauth2ClientAuthorizationChallengeError} if the request failed and a {@link AuthorizationChallengeErrorResponse} is returned
-* @throws {InvalidFetchResponseError} if the request failed but no error response could be parsed
-* @throws {ValidationError} if a successful response was received but an error occurred during verification of the {@link AuthorizationChallengeResponse}
-*/
-async function sendAuthorizationChallengeRequest(options) {
-	const fetchWithZod = (0, __openid4vc_utils.createZodFetcher)(options.callbacks.fetch);
-	const authorizationServerMetadata = options.authorizationServerMetadata;
-	const authorizationChallengeEndpoint = authorizationServerMetadata.authorization_challenge_endpoint;
-	if (!authorizationChallengeEndpoint) throw new Oauth2Error(`Unable to send authorization challenge. Authorization server '${authorizationServerMetadata.issuer}' has no 'authorization_challenge_endpoint'`);
-	const pkce = authorizationServerMetadata.code_challenge_methods_supported && !options.authSession ? await createPkce({
-		allowedCodeChallengeMethods: authorizationServerMetadata.code_challenge_methods_supported,
-		callbacks: options.callbacks,
-		codeVerifier: options.pkceCodeVerifier
-	}) : void 0;
-	const authorizationChallengeRequest = (0, __openid4vc_utils.parseWithErrorHandling)(zAuthorizationChallengeRequest, {
-		...options.additionalRequestPayload,
-		auth_session: options.authSession,
-		scope: options.scope,
-		redirect_uri: options.redirectUri,
-		resource: options.resource,
-		state: options.state,
-		code_challenge: pkce?.codeChallenge,
-		code_challenge_method: pkce?.codeChallengeMethod,
-		presentation_during_issuance_session: options.presentationDuringIssuanceSession
-	});
-	return authorizationServerRequestWithDpopRetry({
-		dpop: options.dpop,
-		request: async (dpop) => {
-			const headers = new __openid4vc_utils.Headers({
-				...dpop ? await createDpopHeadersForRequest({
-					request: {
-						method: "POST",
-						url: authorizationChallengeEndpoint
-					},
-					signer: dpop.signer,
-					callbacks: options.callbacks,
-					nonce: dpop.nonce
-				}) : void 0,
-				"Content-Type": __openid4vc_utils.ContentType.XWwwFormUrlencoded
-			});
-			await options.callbacks.clientAuthentication({
-				url: authorizationChallengeEndpoint,
-				method: "POST",
-				authorizationServerMetadata: options.authorizationServerMetadata,
-				body: authorizationChallengeRequest,
-				contentType: __openid4vc_utils.ContentType.XWwwFormUrlencoded,
-				headers
-			});
-			const { response, result } = await fetchWithZod(zAuthorizationChallengeResponse, __openid4vc_utils.ContentType.Json, authorizationChallengeEndpoint, {
-				method: "POST",
-				body: (0, __openid4vc_utils.objectToQueryParams)(authorizationChallengeRequest).toString(),
-				headers
-			});
-			if (!response.ok || !result) {
-				const authorizationChallengeErrorResponse = zAuthorizationChallengeErrorResponse.safeParse(await response.clone().json().catch(() => null));
-				if (authorizationChallengeErrorResponse.success) throw new Oauth2ClientAuthorizationChallengeError(`Error requesting authorization code from authorization challenge endpoint '${authorizationServerMetadata.authorization_challenge_endpoint}'. Received response with status ${response.status}`, authorizationChallengeErrorResponse.data, response);
-				throw new __openid4vc_utils.InvalidFetchResponseError(`Error requesting authorization code from authorization challenge endpoint '${authorizationServerMetadata.authorization_challenge_endpoint}'. Received response with status ${response.status}`, await response.clone().text(), response);
-			}
-			if (!result.success) throw new __openid4vc_utils.ValidationError("Error validating authorization challenge response", result.error);
-			const dpopNonce = extractDpopNonceFromHeaders(response.headers) ?? void 0;
-			return {
-				pkce,
-				dpop: dpop ? {
-					...dpop,
-					nonce: dpopNonce
-				} : void 0,
-				authorizationChallengeResponse: result.data
-			};
-		}
-	});
-}
-
-//#endregion
-//#region src/authorization-request/create-authorization-request.ts
-/**
-* Create an authorization request url that can be used for authorization.
-*
-* If the authorization server supports Pushed Authorization Requests (PAR) the
-* request will first be pushed to the authorization request, and a reference to
-* the authorization request will be returned (using the 'request_uri' param).
-*/
-async function createAuthorizationRequestUrl(options) {
-	const authorizationServerMetadata = options.authorizationServerMetadata;
-	const pushedAuthorizationRequestEndpoint = authorizationServerMetadata.pushed_authorization_request_endpoint;
-	if (!authorizationServerMetadata.authorization_endpoint) throw new Oauth2Error(`Unable to create authorization request url. Authorization server '${authorizationServerMetadata.issuer}' has no 'authorization_endpoint'`);
-	const pkce = authorizationServerMetadata.code_challenge_methods_supported ? await createPkce({
-		allowedCodeChallengeMethods: authorizationServerMetadata.code_challenge_methods_supported,
-		callbacks: options.callbacks,
-		codeVerifier: options.pkceCodeVerifier
-	}) : void 0;
-	const authorizationRequest = {
-		...options.additionalRequestPayload,
-		response_type: "code",
-		client_id: options.clientId,
-		redirect_uri: options.redirectUri,
-		resource: options.resource,
-		scope: options.scope,
-		state: options.state,
-		code_challenge: pkce?.codeChallenge,
-		code_challenge_method: pkce?.codeChallengeMethod
-	};
-	let pushedAuthorizationRequest;
-	let dpop = options.dpop;
-	if (authorizationServerMetadata.require_pushed_authorization_requests || pushedAuthorizationRequestEndpoint) {
-		if (!pushedAuthorizationRequestEndpoint) throw new Oauth2Error(`Authorization server '${authorizationServerMetadata.issuer}' indicated that pushed authorization requests are required, but the 'pushed_authorization_request_endpoint' is missing in the authorization server metadata.`);
-		const { pushedAuthorizationResponse, dpopNonce } = await authorizationServerRequestWithDpopRetry({
-			dpop: options.dpop,
-			request: async (dpop$1) => {
-				const dpopHeaders = dpop$1 ? await createDpopHeadersForRequest({
-					request: {
-						method: "POST",
-						url: pushedAuthorizationRequestEndpoint
-					},
-					signer: dpop$1.signer,
-					callbacks: options.callbacks,
-					nonce: dpop$1.nonce
-				}) : void 0;
-				return await pushAuthorizationRequest({
-					authorizationServerMetadata,
-					authorizationRequest,
-					pushedAuthorizationRequestEndpoint,
-					callbacks: options.callbacks,
-					headers: dpopHeaders
-				});
-			}
-		});
-		pushedAuthorizationRequest = {
-			request_uri: pushedAuthorizationResponse.request_uri,
-			client_id: authorizationRequest.client_id
-		};
-		if (options.dpop && dpopNonce) dpop = {
-			...options.dpop,
-			nonce: dpopNonce
-		};
-	} else if (options.dpop) authorizationRequest.dpop_jkt = await calculateJwkThumbprint({
-		hashAlgorithm: HashAlgorithm.Sha256,
-		hashCallback: options.callbacks.hash,
-		jwk: options.dpop.signer.publicJwk
-	});
-	return {
-		authorizationRequestUrl: `${authorizationServerMetadata.authorization_endpoint}?${(0, __openid4vc_utils.objectToQueryParams)(pushedAuthorizationRequest ?? authorizationRequest).toString()}`,
-		pkce,
-		dpop
-	};
-}
-async function pushAuthorizationRequest(options) {
-	const fetchWithZod = (0, __openid4vc_utils.createZodFetcher)(options.callbacks.fetch);
-	if (options.authorizationRequest.request_uri) throw new Oauth2Error(`Authorization request contains 'request_uri' parameter. This is not allowed for pushed authorization requests.`);
-	const headers = new __openid4vc_utils.Headers({
-		...options.headers,
-		"Content-Type": __openid4vc_utils.ContentType.XWwwFormUrlencoded
-	});
-	await options.callbacks.clientAuthentication({
-		url: options.pushedAuthorizationRequestEndpoint,
-		method: "POST",
-		authorizationServerMetadata: options.authorizationServerMetadata,
-		body: options.authorizationRequest,
-		contentType: __openid4vc_utils.ContentType.XWwwFormUrlencoded,
-		headers
-	});
-	const { response, result } = await fetchWithZod(zPushedAuthorizationResponse, __openid4vc_utils.ContentType.Json, options.pushedAuthorizationRequestEndpoint, {
-		method: "POST",
-		body: (0, __openid4vc_utils.objectToQueryParams)(options.authorizationRequest).toString(),
-		headers
-	});
-	if (!response.ok || !result) {
-		const parErrorResponse = zOauth2ErrorResponse.safeParse(await response.clone().json().catch(() => null));
-		if (parErrorResponse.success) throw new Oauth2ClientErrorResponseError(`Unable to push authorization request to '${options.pushedAuthorizationRequestEndpoint}'. Received response with status ${response.status}`, parErrorResponse.data, response);
-		throw new __openid4vc_utils.InvalidFetchResponseError(`Unable to push authorization request to '${options.pushedAuthorizationRequestEndpoint}'. Received response with status ${response.status}`, await response.clone().text(), response);
-	}
-	if (!result.success) throw new ValidationError$1("Error validating pushed authorization response", result.error);
-	return {
-		dpopNonce: extractDpopNonceFromHeaders(response.headers),
-		pushedAuthorizationResponse: result.data
-	};
-}
-
-//#endregion
-//#region src/resource-request/make-resource-request.ts
-async function resourceRequest(options) {
-	const dpopHeaders = options.dpop ? await createDpopHeadersForRequest({
-		request: {
-			url: options.url,
-			method: options.requestOptions.method ?? "GET"
-		},
-		signer: options.dpop.signer,
-		callbacks: options.callbacks,
-		nonce: options.dpop.nonce,
-		accessToken: options.accessToken
-	}) : void 0;
-	const response = await (0, __openid4vc_utils.createFetcher)(options.callbacks.fetch)(options.url, {
-		...options.requestOptions,
-		headers: {
-			...options.requestOptions.headers,
-			Authorization: `${dpopHeaders ? "DPoP" : "Bearer"} ${options.accessToken}`,
-			...dpopHeaders
-		}
-	});
-	const dpopNonce = extractDpopNonceFromHeaders(response.headers);
-	if (response.ok) return {
-		ok: true,
-		response,
-		dpop: dpopNonce ? { nonce: dpopNonce } : void 0
-	};
-	const wwwAuthenticateHeader = response.headers.get("WWW-Authenticate");
-	const resourceUnauthorizedError = wwwAuthenticateHeader ? Oauth2ResourceUnauthorizedError.fromHeaderValue(wwwAuthenticateHeader) : void 0;
-	const shouldRetryWithNonce = options.dpop?.retryWithNonce ?? true;
-	const dpopRetry = resourceUnauthorizedError ? shouldRetryResourceRequestWithDPoPNonce({
-		responseHeaders: response.headers,
-		resourceUnauthorizedError
-	}) : void 0;
-	if (shouldRetryWithNonce && dpopRetry?.retry && options.dpop) return await resourceRequest({
-		...options,
-		dpop: {
-			...options.dpop,
-			nonce: dpopRetry.dpopNonce,
-			retryWithNonce: false
-		}
-	});
-	return {
-		ok: false,
-		response,
-		dpop: dpopNonce ? { nonce: dpopNonce } : void 0,
-		wwwAuthenticate: resourceUnauthorizedError?.wwwAuthenticateHeaders
-	};
-}
-
-//#endregion
-//#region src/Oauth2Client.ts
-var Oauth2Client = class {
-	constructor(options) {
-		this.options = options;
-	}
-	isDpopSupported(options) {
-		if (!options.authorizationServerMetadata.dpop_signing_alg_values_supported || options.authorizationServerMetadata.dpop_signing_alg_values_supported.length === 0) return { supported: false };
-		return {
-			supported: true,
-			dpopSigningAlgValuesSupported: options.authorizationServerMetadata.dpop_signing_alg_values_supported
-		};
-	}
-	isClientAttestationSupported(options) {
-		if (!options.authorizationServerMetadata.token_endpoint_auth_methods_supported || !options.authorizationServerMetadata.token_endpoint_auth_methods_supported.includes(SupportedClientAuthenticationMethod.ClientAttestationJwt)) return { supported: false };
-		return { supported: true };
-	}
-	async fetchAuthorizationServerMetadata(issuer) {
-		return fetchAuthorizationServerMetadata(issuer, this.options.callbacks.fetch);
-	}
-	/**
-	* Initiate authorization.
-	*
-	* It will take the followings steps:
-	* - if `authorization_challenge_endpoint` is defined, send an authorization challenge request
-	* - if authorization challenge request returns a `redirect_to_web` error code with `request_uri`
-	*   then construct the authorization request url based on the `request_uri`
-	* - if the `authorization_challenge_endpoint` is not defined, or authorization challenge request reuturns a `redirect_to_web` error code without `request_uri`
-	*   then the authorization request url will be constructed as usual (optionally using PAR).
-	*
-	* @throws {Oauth2ClientAuthorizationChallengeError} in case of an error response. If `error` is
-	* `insufficient_authorization` possible extra steps can be taken.
-	*/
-	async initiateAuthorization(options) {
-		const pkce = options.authorizationServerMetadata.code_challenge_methods_supported ? await createPkce({
-			allowedCodeChallengeMethods: options.authorizationServerMetadata.code_challenge_methods_supported,
-			callbacks: this.options.callbacks,
-			codeVerifier: options.pkceCodeVerifier
-		}) : void 0;
-		if (options.authorizationServerMetadata.authorization_challenge_endpoint) try {
-			await this.sendAuthorizationChallengeRequest({
-				authorizationServerMetadata: options.authorizationServerMetadata,
-				additionalRequestPayload: options.additionalRequestPayload,
-				pkceCodeVerifier: pkce?.codeVerifier,
-				redirectUri: options.redirectUri,
-				scope: options.scope,
-				resource: options.resource,
-				dpop: options.dpop,
-				state: options.state
-			});
-		} catch (error) {
-			if (!(error instanceof Oauth2ClientAuthorizationChallengeError && error.errorResponse.error === Oauth2ErrorCodes.RedirectToWeb)) throw error;
-			if (error.errorResponse.request_uri) {
-				const authorizationRequestUrl = `${options.authorizationServerMetadata.authorization_endpoint}?${(0, __openid4vc_utils.objectToQueryParams)({
-					request_uri: error.errorResponse.request_uri,
-					client_id: options.clientId
-				}).toString()}`;
-				const dpopNonce = extractDpopNonceFromHeaders(error.response.headers);
-				return {
-					dpop: options.dpop ? {
-						...options.dpop,
-						nonce: dpopNonce
-					} : void 0,
-					authorizationRequestUrl,
-					pkce
-				};
-			}
-		}
-		return this.createAuthorizationRequestUrl({
-			authorizationServerMetadata: options.authorizationServerMetadata,
-			clientId: options.clientId,
-			additionalRequestPayload: options.additionalRequestPayload,
-			redirectUri: options.redirectUri,
-			scope: options.scope,
-			pkceCodeVerifier: pkce?.codeVerifier,
-			resource: options.resource,
-			dpop: options.dpop,
-			state: options.state
-		});
-	}
-	sendAuthorizationChallengeRequest(options) {
-		return sendAuthorizationChallengeRequest({
-			...options,
-			callbacks: this.options.callbacks
-		});
-	}
-	async createAuthorizationRequestUrl(options) {
-		return createAuthorizationRequestUrl({
-			authorizationServerMetadata: options.authorizationServerMetadata,
-			clientId: options.clientId,
-			additionalRequestPayload: options.additionalRequestPayload,
-			redirectUri: options.redirectUri,
-			resource: options.resource,
-			scope: options.scope,
-			callbacks: this.options.callbacks,
-			pkceCodeVerifier: options.pkceCodeVerifier,
-			dpop: options.dpop,
-			state: options.state
-		});
-	}
-	async retrievePreAuthorizedCodeAccessToken({ authorizationServerMetadata, preAuthorizedCode, additionalRequestPayload, txCode, dpop, resource }) {
-		return await retrievePreAuthorizedCodeAccessToken({
-			authorizationServerMetadata,
-			preAuthorizedCode,
-			txCode,
-			resource,
-			additionalRequestPayload: {
-				...additionalRequestPayload,
-				tx_code: txCode
-			},
-			callbacks: this.options.callbacks,
-			dpop
-		});
-	}
-	async retrieveAuthorizationCodeAccessToken({ authorizationServerMetadata, additionalRequestPayload, authorizationCode, pkceCodeVerifier, redirectUri, resource, dpop }) {
-		return await retrieveAuthorizationCodeAccessToken({
-			authorizationServerMetadata,
-			authorizationCode,
-			pkceCodeVerifier,
-			additionalRequestPayload,
-			resource,
-			callbacks: this.options.callbacks,
-			dpop,
-			redirectUri
-		});
-	}
-	async retrieveRefreshTokenAccessToken({ authorizationServerMetadata, additionalRequestPayload, refreshToken, resource, dpop }) {
-		return await retrieveRefreshTokenAccessToken({
-			authorizationServerMetadata,
-			refreshToken,
-			additionalRequestPayload,
-			resource,
-			callbacks: this.options.callbacks,
-			dpop
-		});
-	}
-	async resourceRequest(options) {
-		return resourceRequest(options);
-	}
-};
-
-//#endregion
-//#region src/Oauth2ResourceServer.ts
-var Oauth2ResourceServer = class {
-	constructor(options) {
-		this.options = options;
-	}
-	async verifyResourceRequest(options) {
-		return verifyResourceRequest({
-			callbacks: this.options.callbacks,
-			...options
-		});
-	}
-};
-
-//#endregion
-//#region src/access-token/z-token-introspection.ts
-const zTokenIntrospectionRequest = zod.default.object({
-	token: zod.default.string(),
-	token_type_hint: zod.default.optional(zod.default.string())
-}).loose();
-const zTokenIntrospectionResponse = zod.default.object({
-	active: zod.default.boolean(),
-	scope: zod.default.optional(zod.default.string()),
-	client_id: zod.default.optional(zod.default.string()),
-	username: zod.default.optional(zod.default.string()),
-	token_type: zod.default.optional(zod.default.string()),
-	exp: zod.default.optional(__openid4vc_utils.zInteger),
-	iat: zod.default.optional(__openid4vc_utils.zInteger),
-	nbf: zod.default.optional(__openid4vc_utils.zInteger),
-	sub: zod.default.optional(zod.default.string()),
-	aud: zod.default.optional(zod.default.union([zod.default.string(), zod.default.array(zod.default.string())])),
-	iss: zod.default.optional(zod.default.string()),
-	jti: zod.default.optional(zod.default.string()),
-	cnf: zod.default.optional(zJwtConfirmationPayload)
-}).loose();
-
-//#endregion
-//#region src/access-token/introspect-token.ts
-async function introspectToken(options) {
-	const fetchWithZod = (0, __openid4vc_utils.createZodFetcher)(options.callbacks.fetch);
-	const introspectionRequest = (0, __openid4vc_utils.parseWithErrorHandling)(zTokenIntrospectionRequest, {
-		token: options.token,
-		token_type_hint: options.tokenTypeHint,
-		...options.additionalPayload
-	});
-	const introspectionEndpoint = options.authorizationServerMetadata.introspection_endpoint;
-	if (!introspectionEndpoint) throw new Oauth2Error(`Missing required 'introspection_endpoint' parameter in authorization server metadata`);
-	const headers = new __openid4vc_utils.Headers({ "Content-Type": __openid4vc_utils.ContentType.XWwwFormUrlencoded });
-	await options.callbacks.clientAuthentication({
-		url: introspectionEndpoint,
-		method: "POST",
-		authorizationServerMetadata: options.authorizationServerMetadata,
-		body: introspectionRequest,
-		contentType: __openid4vc_utils.ContentType.XWwwFormUrlencoded,
-		headers
-	});
-	const { result, response } = await fetchWithZod(zTokenIntrospectionResponse, __openid4vc_utils.ContentType.Json, introspectionEndpoint, {
-		body: (0, __openid4vc_utils.objectToQueryParams)(introspectionRequest).toString(),
-		method: "POST",
-		headers
-	});
-	if (!response.ok || !result?.success) throw new __openid4vc_utils.InvalidFetchResponseError(`Unable to introspect token from '${introspectionEndpoint}'. Received response with status ${response.status}`, await response.clone().text(), response);
-	return result.data;
-}
-
-//#endregion
-//#region src/resource-request/verify-resource-request.ts
-async function verifyResourceRequest(options) {
-	const allowedAuthenticationSchemes = options.allowedAuthenticationSchemes ?? Object.values(SupportedAuthenticationScheme);
-	if (allowedAuthenticationSchemes.length === 0) throw new Oauth2Error(`Emtpy array provided for 'allowedAuthenticationSchemes', provide at least one allowed authentication scheme, or remove the value to allow all supported authentication schemes`);
-	const authorizationHeader = options.request.headers.get("Authorization");
-	if (!authorizationHeader) throw new Oauth2ResourceUnauthorizedError(`No 'Authorization' header provided in request.`, allowedAuthenticationSchemes.map((scheme$1) => ({ scheme: scheme$1 })));
-	const [scheme, accessToken] = authorizationHeader.split(" ", 2);
-	if (!scheme || !accessToken) throw new Oauth2ResourceUnauthorizedError(`Malformed 'Authorization' header provided in request.`, allowedAuthenticationSchemes.map((scheme$1) => ({ scheme: scheme$1 })));
-	if (!allowedAuthenticationSchemes.includes(scheme) || scheme !== SupportedAuthenticationScheme.Bearer && scheme !== SupportedAuthenticationScheme.DPoP) throw new Oauth2ResourceUnauthorizedError(`Provided authentication scheme '${scheme}' is not allowed. Allowed authentication schemes are ${allowedAuthenticationSchemes.map((s) => `'${s}'`).join(", ")}.`, allowedAuthenticationSchemes.map((scheme$1) => ({ scheme: scheme$1 })));
-	const verificationResult = await verifyJwtProfileAccessToken({
-		accessToken,
-		callbacks: options.callbacks,
-		authorizationServers: options.authorizationServers,
-		resourceServer: options.resourceServer,
-		now: options.now
-	}).catch((error) => {
-		if (error instanceof Oauth2JwtParseError || error instanceof __openid4vc_utils.ValidationError) return null;
-		const errorMessage = error instanceof Oauth2Error ? error.message : "Invalid access token";
-		throw new Oauth2ResourceUnauthorizedError(`Error occurred during verification of jwt profile access token: ${error.message}`, {
-			scheme,
-			error: Oauth2ErrorCodes.InvalidToken,
-			error_description: errorMessage
-		});
-	});
-	let tokenPayload = verificationResult?.payload;
-	let authorizationServer = verificationResult?.authorizationServer;
-	if (!tokenPayload) for (const authorizationServerMetadata of options.authorizationServers) try {
-		tokenPayload = await introspectToken({
-			authorizationServerMetadata,
-			callbacks: options.callbacks,
-			token: accessToken,
-			tokenTypeHint: scheme
-		});
-		authorizationServer = authorizationServerMetadata;
-		if (tokenPayload.active) break;
-	} catch (_error) {}
-	if (!tokenPayload || !authorizationServer) throw new Oauth2ResourceUnauthorizedError("Could not verify token as jwt or using token introspection.", {
-		scheme,
-		error: Oauth2ErrorCodes.InvalidToken,
-		error_description: "Token is not valid"
-	});
-	let dpopJwk;
-	if (scheme === SupportedAuthenticationScheme.DPoP || tokenPayload.token_type === SupportedAuthenticationScheme.DPoP || tokenPayload.cnf?.jkt) {
-		const dpopJwtResult = extractDpopJwtFromHeaders(options.request.headers);
-		if (!dpopJwtResult.valid) throw new Oauth2ResourceUnauthorizedError(`Request contains a 'DPoP' header, but the value is not a valid DPoP jwt.`, {
-			scheme,
-			error: Oauth2ErrorCodes.InvalidDpopProof,
-			error_description: `Request contains a 'DPoP' header, but the value is not a valid DPoP jwt.`
-		});
-		if (!dpopJwtResult.dpopJwt) throw new Oauth2ResourceUnauthorizedError(`Request is missing required 'DPoP' header.`, {
-			scheme,
-			error: Oauth2ErrorCodes.InvalidDpopProof,
-			error_description: `Request is missing required 'DPoP' header.`
-		});
-		if (!tokenPayload.cnf?.jkt) throw new Oauth2ResourceUnauthorizedError(`Token payload is missing required 'cnf.jkt' value for DPoP verification.`, {
-			scheme,
-			error: Oauth2ErrorCodes.InvalidToken,
-			error_description: `Token payload is missing required 'cnf.jkt' value for DPoP verification.`
-		});
-		try {
-			dpopJwk = (await verifyDpopJwt({
-				callbacks: options.callbacks,
-				dpopJwt: dpopJwtResult.dpopJwt,
-				request: options.request,
-				accessToken,
-				now: options.now,
-				expectedJwkThumbprint: tokenPayload.cnf?.jkt,
-				allowedSigningAlgs: authorizationServer.dpop_signing_alg_values_supported
-			})).header.jwk;
-		} catch (error) {
-			const errorMessage = error instanceof Oauth2Error ? error.message : "Error verifying DPoP jwt";
-			throw new Oauth2ResourceUnauthorizedError(`Error occurred during verification of jwt profile access token: ${error instanceof Error ? error.message : error}`, {
-				scheme,
-				error: Oauth2ErrorCodes.InvalidDpopProof,
-				error_description: errorMessage
-			});
-		}
-	}
-	return {
-		tokenPayload,
-		dpop: dpopJwk ? { jwk: dpopJwk } : void 0,
-		scheme,
-		accessToken,
-		authorizationServer: authorizationServer.issuer
-	};
-}
-
-//#endregion
-exports.HashAlgorithm = HashAlgorithm;
-Object.defineProperty(exports, 'InvalidFetchResponseError', {
-  enumerable: true,
-  get: function () {
-    return __openid4vc_utils.InvalidFetchResponseError;
-  }
-});
-exports.Oauth2AuthorizationServer = Oauth2AuthorizationServer;
-exports.Oauth2Client = Oauth2Client;
-exports.Oauth2ClientAuthorizationChallengeError = Oauth2ClientAuthorizationChallengeError;
-exports.Oauth2ClientErrorResponseError = Oauth2ClientErrorResponseError;
-exports.Oauth2Error = Oauth2Error;
-exports.Oauth2ErrorCodes = Oauth2ErrorCodes;
-exports.Oauth2JwtParseError = Oauth2JwtParseError;
-exports.Oauth2JwtVerificationError = Oauth2JwtVerificationError;
-exports.Oauth2ResourceServer = Oauth2ResourceServer;
-exports.Oauth2ResourceUnauthorizedError = Oauth2ResourceUnauthorizedError;
-exports.Oauth2ServerErrorResponseError = Oauth2ServerErrorResponseError;
-exports.PkceCodeChallengeMethod = PkceCodeChallengeMethod;
-exports.SupportedAuthenticationScheme = SupportedAuthenticationScheme;
-exports.SupportedClientAuthenticationMethod = SupportedClientAuthenticationMethod;
-exports.authorizationCodeGrantIdentifier = authorizationCodeGrantIdentifier;
-exports.calculateJwkThumbprint = calculateJwkThumbprint;
-exports.clientAuthenticationAnonymous = clientAuthenticationAnonymous;
-exports.clientAuthenticationClientAttestationJwt = clientAuthenticationClientAttestationJwt;
-exports.clientAuthenticationClientSecretBasic = clientAuthenticationClientSecretBasic;
-exports.clientAuthenticationClientSecretPost = clientAuthenticationClientSecretPost;
-exports.clientAuthenticationDynamic = clientAuthenticationDynamic;
-exports.clientAuthenticationNone = clientAuthenticationNone;
-exports.createClientAttestationJwt = createClientAttestationJwt;
-exports.createJarAuthorizationRequest = createJarAuthorizationRequest;
-exports.decodeJwt = decodeJwt;
-exports.decodeJwtHeader = decodeJwtHeader;
-exports.fetchAuthorizationServerMetadata = fetchAuthorizationServerMetadata;
-exports.fetchJwks = fetchJwks;
-exports.fetchWellKnownMetadata = fetchWellKnownMetadata;
-exports.fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray = fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray;
-exports.fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm = fullySpecifiedCoseAlgorithmToJwaSignatureAlgorithm;
-exports.getAuthorizationServerMetadataFromList = getAuthorizationServerMetadataFromList;
-Object.defineProperty(exports, 'getGlobalConfig', {
-  enumerable: true,
-  get: function () {
-    return __openid4vc_utils.getGlobalConfig;
-  }
-});
-exports.isJwkInSet = isJwkInSet;
-exports.jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray = jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray;
-exports.jwaSignatureAlgorithmToFullySpecifiedCoseAlgorithm = jwaSignatureAlgorithmToFullySpecifiedCoseAlgorithm;
-exports.jwtAuthorizationRequestJwtHeaderTyp = jwtAuthorizationRequestJwtHeaderTyp;
-exports.jwtHeaderFromJwtSigner = jwtHeaderFromJwtSigner;
-exports.jwtSignerFromJwt = jwtSignerFromJwt;
-exports.parseAuthorizationResponseRedirectUrl = parseAuthorizationResponseRedirectUrl;
-exports.parsePushedAuthorizationRequestUriReferenceValue = parsePushedAuthorizationRequestUriReferenceValue;
-exports.preAuthorizedCodeGrantIdentifier = preAuthorizedCodeGrantIdentifier;
-exports.pushedAuthorizationRequestUriPrefix = pushedAuthorizationRequestUriPrefix;
-exports.refreshTokenGrantIdentifier = refreshTokenGrantIdentifier;
-exports.resourceRequest = resourceRequest;
-Object.defineProperty(exports, 'setGlobalConfig', {
-  enumerable: true,
-  get: function () {
-    return __openid4vc_utils.setGlobalConfig;
-  }
-});
-exports.signedAuthorizationRequestJwtHeaderTyp = signedAuthorizationRequestJwtHeaderTyp;
-exports.validateJarRequestParams = validateJarRequestParams;
-exports.verifyClientAttestationJwt = verifyClientAttestationJwt;
-exports.verifyIdTokenJwt = verifyIdTokenJwt;
-exports.verifyJwt = verifyJwt;
-exports.verifyResourceRequest = verifyResourceRequest;
-exports.zAlgValueNotNone = zAlgValueNotNone;
-exports.zAuthorizationCodeGrantIdentifier = zAuthorizationCodeGrantIdentifier;
-exports.zAuthorizationErrorResponse = zAuthorizationErrorResponse;
-exports.zAuthorizationResponse = zAuthorizationResponse;
-exports.zAuthorizationResponseFromUriParams = zAuthorizationResponseFromUriParams;
-exports.zAuthorizationServerMetadata = zAuthorizationServerMetadata;
-exports.zCompactJwe = zCompactJwe;
-exports.zCompactJwt = zCompactJwt;
-exports.zIdTokenJwtHeader = zIdTokenJwtHeader;
-exports.zIdTokenJwtPayload = zIdTokenJwtPayload;
-exports.zJarAuthorizationRequest = zJarAuthorizationRequest;
-exports.zJarRequestObjectPayload = zJarRequestObjectPayload;
-exports.zJwk = zJwk;
-exports.zJwkSet = zJwkSet;
-exports.zJwtHeader = zJwtHeader;
-exports.zJwtPayload = zJwtPayload;
-exports.zOauth2ErrorResponse = zOauth2ErrorResponse;
-exports.zPreAuthorizedCodeGrantIdentifier = zPreAuthorizedCodeGrantIdentifier;
-exports.zPushedAuthorizationRequestUriPrefix = zPushedAuthorizationRequestUriPrefix;
-exports.zRefreshTokenGrantIdentifier = zRefreshTokenGrantIdentifier;
-//# sourceMappingURL=index.cjs.map