@openid4vc/openid4vci 0.3.0-alpha-20250224151429

package/dist/index.js

@@ -0,0 +1,2130 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  AuthorizationFlow: () => AuthorizationFlow,
+  Openid4vciClient: () => Openid4vciClient,
+  Openid4vciDraftVersion: () => Openid4vciDraftVersion,
+  Openid4vciError: () => Openid4vciError,
+  Openid4vciIssuer: () => Openid4vciIssuer,
+  Openid4vciRetrieveCredentialsError: () => Openid4vciRetrieveCredentialsError,
+  Openid4vciSendNotificationError: () => Openid4vciSendNotificationError,
+  credentialsSupportedToCredentialConfigurationsSupported: () => credentialsSupportedToCredentialConfigurationsSupported,
+  extractScopesForCredentialConfigurationIds: () => extractScopesForCredentialConfigurationIds,
+  getCredentialConfigurationsMatchingRequestFormat: () => getCredentialConfigurationsMatchingRequestFormat,
+  getGlobalConfig: () => import_utils19.getGlobalConfig,
+  setGlobalConfig: () => import_utils19.setGlobalConfig
+});
+module.exports = __toCommonJS(src_exports);
+var import_utils19 = require("@openid4vc/utils");
+
+// src/credential-request/credential-request-configurations.ts
+var import_utils4 = require("@openid4vc/utils");
+
+// src/metadata/credential-issuer/credential-issuer-metadata.ts
+var import_oauth23 = require("@openid4vc/oauth2");
+var import_utils3 = require("@openid4vc/utils");
+
+// src/metadata/credential-issuer/z-credential-issuer-metadata.ts
+var import_oauth22 = require("@openid4vc/oauth2");
+var import_utils2 = require("@openid4vc/utils");
+var import_zod9 = __toESM(require("zod"));
+
+// src/formats/credential/mso-mdoc/z-mso-mdoc.ts
+var import_zod3 = __toESM(require("zod"));
+
+// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
+var import_zod2 = __toESM(require("zod"));
+
+// src/key-attestation/z-key-attestation.ts
+var import_oauth2 = require("@openid4vc/oauth2");
+var import_utils = require("@openid4vc/utils");
+var import_zod = __toESM(require("zod"));
+var zKeyAttestationJwtHeader = import_zod.default.object({
+  ...import_oauth2.zJwtHeader.shape,
+  typ: import_zod.default.literal("keyattestation+jwt")
+}).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
+  message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
+}).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
+  message: `When 'trust_chain' is provided, 'kid' is required`
+});
+var zIso18045 = import_zod.default.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
+var zIso18045OrStringArray = import_zod.default.array(import_zod.default.union([zIso18045, import_zod.default.string()]));
+var zKeyAttestationJwtPayload = import_zod.default.object({
+  ...import_oauth2.zJwtPayload.shape,
+  iat: import_utils.zInteger,
+  attested_keys: import_zod.default.array(import_oauth2.zJwk),
+  key_storage: import_zod.default.optional(zIso18045OrStringArray),
+  user_authentication: import_zod.default.optional(zIso18045OrStringArray),
+  certification: import_zod.default.optional(import_zod.default.string())
+}).passthrough();
+var zKeyAttestationJwtPayloadForUse = (use) => import_zod.default.object({
+  ...zKeyAttestationJwtPayload.shape,
+  // REQUIRED when used as proof_type.attesation directly
+  nonce: use === "proof_type.attestation" ? import_zod.default.string({
+    message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly`
+  }) : import_zod.default.optional(import_zod.default.string()),
+  // REQUIRED when used within header of proof_type.jwt
+  exp: use === "proof_type.jwt" ? import_utils.zInteger : import_zod.default.optional(import_utils.zInteger)
+}).passthrough();
+
+// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
+var zCredentialConfigurationSupportedClaims = import_zod2.default.object({
+  mandatory: import_zod2.default.boolean().optional(),
+  value_type: import_zod2.default.string().optional(),
+  display: import_zod2.default.object({
+    name: import_zod2.default.string().optional(),
+    locale: import_zod2.default.string().optional()
+  }).passthrough().optional()
+}).passthrough();
+var zCredentialConfigurationSupportedCommon = import_zod2.default.object({
+  format: import_zod2.default.string(),
+  scope: import_zod2.default.string().optional(),
+  cryptographic_binding_methods_supported: import_zod2.default.array(import_zod2.default.string()).optional(),
+  credential_signing_alg_values_supported: import_zod2.default.array(import_zod2.default.string()).optional(),
+  proof_types_supported: import_zod2.default.record(
+    import_zod2.default.union([import_zod2.default.literal("jwt"), import_zod2.default.literal("attestation"), import_zod2.default.string()]),
+    import_zod2.default.object({
+      proof_signing_alg_values_supported: import_zod2.default.array(import_zod2.default.string()),
+      key_attestations_required: import_zod2.default.object({
+        key_storage: zIso18045OrStringArray.optional(),
+        user_authentication: zIso18045OrStringArray.optional()
+      }).passthrough().optional()
+    })
+  ).optional(),
+  display: import_zod2.default.array(
+    import_zod2.default.object({
+      name: import_zod2.default.string(),
+      locale: import_zod2.default.string().optional(),
+      logo: import_zod2.default.object({
+        // FIXME: make required again, but need to support draft 11 first
+        uri: import_zod2.default.string().optional(),
+        alt_text: import_zod2.default.string().optional()
+      }).passthrough().optional(),
+      description: import_zod2.default.string().optional(),
+      background_color: import_zod2.default.string().optional(),
+      background_image: import_zod2.default.object({
+        // TODO: should be required, but paradym's metadata is wrong here.
+        uri: import_zod2.default.string().optional()
+      }).passthrough().optional(),
+      text_color: import_zod2.default.string().optional()
+    }).passthrough()
+  ).optional()
+}).passthrough();
+
+// src/formats/credential/mso-mdoc/z-mso-mdoc.ts
+var zMsoMdocFormatIdentifier = import_zod3.default.literal("mso_mdoc");
+var zMsoMdocCredentialIssuerMetadata = import_zod3.default.object({
+  format: zMsoMdocFormatIdentifier,
+  doctype: import_zod3.default.string(),
+  claims: import_zod3.default.optional(zCredentialConfigurationSupportedClaims),
+  order: import_zod3.default.optional(import_zod3.default.array(import_zod3.default.string()))
+});
+var zMsoMdocCredentialRequestFormat = import_zod3.default.object({
+  format: zMsoMdocFormatIdentifier,
+  doctype: import_zod3.default.string(),
+  claims: import_zod3.default.optional(zCredentialConfigurationSupportedClaims)
+});
+
+// src/formats/credential/sd-jwt-vc/z-sd-jwt-vc.ts
+var import_zod4 = __toESM(require("zod"));
+var zSdJwtVcFormatIdentifier = import_zod4.default.literal("vc+sd-jwt");
+var zSdJwtVcCredentialIssuerMetadata = import_zod4.default.object({
+  vct: import_zod4.default.string(),
+  format: zSdJwtVcFormatIdentifier,
+  claims: import_zod4.default.optional(zCredentialConfigurationSupportedClaims),
+  order: import_zod4.default.optional(import_zod4.default.array(import_zod4.default.string()))
+});
+var zSdJwtVcCredentialRequestFormat = import_zod4.default.object({
+  format: zSdJwtVcFormatIdentifier,
+  vct: import_zod4.default.string(),
+  claims: import_zod4.default.optional(zCredentialConfigurationSupportedClaims)
+});
+
+// src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
+var import_zod6 = __toESM(require("zod"));
+
+// src/formats/credential/w3c-vc/z-w3c-vc-common.ts
+var import_zod5 = __toESM(require("zod"));
+var zCredentialSubjectLeafType = import_zod5.default.object({
+  mandatory: import_zod5.default.boolean().optional(),
+  value_type: import_zod5.default.string().optional(),
+  display: import_zod5.default.array(
+    import_zod5.default.object({
+      name: import_zod5.default.string().optional(),
+      locale: import_zod5.default.string().optional()
+    }).passthrough()
+  ).optional()
+}).passthrough();
+var zClaimValueSchema = import_zod5.default.union([import_zod5.default.array(import_zod5.default.any()), import_zod5.default.record(import_zod5.default.string(), import_zod5.default.any()), zCredentialSubjectLeafType]);
+var zW3cVcCredentialSubject = import_zod5.default.record(import_zod5.default.string(), zClaimValueSchema);
+var zW3cVcJsonLdCredentialDefinition = import_zod5.default.object({
+  "@context": import_zod5.default.array(import_zod5.default.string()),
+  type: import_zod5.default.array(import_zod5.default.string()),
+  credentialSubject: zW3cVcCredentialSubject.optional()
+}).passthrough();
+
+// src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
+var zLdpVcFormatIdentifier = import_zod6.default.literal("ldp_vc");
+var zLdpVcCredentialIssuerMetadata = import_zod6.default.object({
+  format: zLdpVcFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinition,
+  order: import_zod6.default.array(import_zod6.default.string()).optional()
+});
+var zLdpVcCredentialIssuerMetadataDraft11 = import_zod6.default.object({
+  order: import_zod6.default.array(import_zod6.default.string()).optional(),
+  format: zLdpVcFormatIdentifier,
+  // Credential definition was spread on top level instead of a separatey property in v11
+  // As well as using types instead of type
+  "@context": import_zod6.default.array(import_zod6.default.string()),
+  types: import_zod6.default.array(import_zod6.default.string()),
+  credentialSubject: zW3cVcCredentialSubject.optional()
+}).passthrough();
+var zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDraft11.transform(
+  ({ "@context": context, types, credentialSubject, ...rest }) => ({
+    ...rest,
+    credential_definition: {
+      "@context": context,
+      type: types,
+      // Prevent weird typing issue with optional vs undefined
+      ...credentialSubject ? { credentialSubject } : {}
+    }
+  })
+);
+var zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+  ...rest,
+  ...credentialDefinition,
+  types: type
+})).and(zLdpVcCredentialIssuerMetadataDraft11);
+var zLdpVcCredentialRequestFormat = import_zod6.default.object({
+  format: zLdpVcFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinition
+});
+var zLdpVcCredentialRequestDraft11 = import_zod6.default.object({
+  format: zLdpVcFormatIdentifier,
+  credential_definition: import_zod6.default.object({
+    "@context": import_zod6.default.array(import_zod6.default.string()),
+    // credential_definition was using types instead of type in v11
+    types: import_zod6.default.array(import_zod6.default.string()),
+    credentialSubject: zW3cVcCredentialSubject.optional()
+  })
+}).passthrough();
+var zLdpVcCredentialRequestDraft11To14 = zLdpVcCredentialRequestDraft11.transform(
+  ({ credential_definition: { types, ...restCredentialDefinition }, ...rest }) => ({
+    ...rest,
+    credential_definition: {
+      ...restCredentialDefinition,
+      type: types
+    }
+  })
+);
+var zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
+  ...rest,
+  credential_definition: {
+    ...restCredentialDefinition,
+    types: type
+  }
+})).and(zLdpVcCredentialRequestDraft11);
+
+// src/formats/credential/w3c-vc/z-w3c-jwt-vc-json-ld.ts
+var import_zod7 = __toESM(require("zod"));
+var zJwtVcJsonLdFormatIdentifier = import_zod7.default.literal("jwt_vc_json-ld");
+var zJwtVcJsonLdCredentialIssuerMetadata = import_zod7.default.object({
+  format: zJwtVcJsonLdFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinition,
+  order: import_zod7.default.optional(import_zod7.default.array(import_zod7.default.string()))
+});
+var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = import_zod7.default.object({
+  order: import_zod7.default.array(import_zod7.default.string()).optional(),
+  format: zJwtVcJsonLdFormatIdentifier,
+  // Credential definition was spread on top level instead of a separatey property in v11
+  // As well as using types instead of type
+  "@context": import_zod7.default.array(import_zod7.default.string()),
+  types: import_zod7.default.array(import_zod7.default.string()),
+  credentialSubject: zW3cVcCredentialSubject.optional()
+}).passthrough();
+var zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssuerMetadataDraft11.transform(
+  ({ "@context": context, types, credentialSubject, ...rest }) => ({
+    ...rest,
+    credential_definition: {
+      "@context": context,
+      type: types,
+      // Prevent weird typing issue with optional vs undefined
+      ...credentialSubject ? { credentialSubject } : {}
+    }
+  })
+);
+var zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+  ...rest,
+  ...credentialDefinition,
+  types: type
+})).and(zJwtVcJsonLdCredentialIssuerMetadataDraft11);
+var zJwtVcJsonLdCredentialRequestFormat = import_zod7.default.object({
+  format: zJwtVcJsonLdFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinition
+});
+var zJwtVcJsonLdCredentialRequestDraft11 = import_zod7.default.object({
+  format: zJwtVcJsonLdFormatIdentifier,
+  credential_definition: import_zod7.default.object({
+    "@context": import_zod7.default.array(import_zod7.default.string()),
+    // credential_definition was using types instead of type in v11
+    types: import_zod7.default.array(import_zod7.default.string()),
+    credentialSubject: import_zod7.default.optional(zW3cVcCredentialSubject)
+  }).passthrough()
+}).passthrough();
+var zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraft11.transform(
+  ({ credential_definition: { types, ...restCredentialDefinition }, ...rest }) => ({
+    ...rest,
+    credential_definition: {
+      ...restCredentialDefinition,
+      type: types
+    }
+  })
+);
+var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
+  ...rest,
+  credential_definition: {
+    ...restCredentialDefinition,
+    types: type
+  }
+})).and(zJwtVcJsonLdCredentialRequestDraft11);
+
+// src/formats/credential/w3c-vc/z-w3c-jwt-vc-json.ts
+var import_zod8 = __toESM(require("zod"));
+var zJwtVcJsonFormatIdentifier = import_zod8.default.literal("jwt_vc_json");
+var zJwtVcJsonCredentialDefinition = import_zod8.default.object({
+  type: import_zod8.default.array(import_zod8.default.string()),
+  credentialSubject: zW3cVcCredentialSubject.optional()
+}).passthrough();
+var zJwtVcJsonCredentialIssuerMetadata = import_zod8.default.object({
+  format: zJwtVcJsonFormatIdentifier,
+  credential_definition: zJwtVcJsonCredentialDefinition,
+  order: import_zod8.default.array(import_zod8.default.string()).optional()
+});
+var zJwtVcJsonCredentialIssuerMetadataDraft11 = import_zod8.default.object({
+  format: zJwtVcJsonFormatIdentifier,
+  order: import_zod8.default.array(import_zod8.default.string()).optional(),
+  // Credential definition was spread on top level instead of a separatey property in v11
+  // As well as using types instead of type
+  types: import_zod8.default.array(import_zod8.default.string()),
+  credentialSubject: zW3cVcCredentialSubject.optional()
+}).passthrough();
+var zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMetadataDraft11.transform(
+  ({ types, credentialSubject, ...rest }) => ({
+    ...rest,
+    credential_definition: {
+      type: types,
+      // Prevent weird typing issue with optional vs undefined
+      ...credentialSubject ? { credentialSubject } : {}
+    }
+  })
+);
+var zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+  ...rest,
+  types: type,
+  ...credentialDefinition
+})).and(zJwtVcJsonCredentialIssuerMetadataDraft11);
+var zJwtVcJsonCredentialRequestFormat = import_zod8.default.object({
+  format: zJwtVcJsonFormatIdentifier,
+  credential_definition: zJwtVcJsonCredentialDefinition
+});
+var zJwtVcJsonCredentialRequestDraft11 = import_zod8.default.object({
+  format: zJwtVcJsonFormatIdentifier,
+  // Credential definition was spread on top level instead of a separatey property in v11
+  // As well as using types instead of type
+  types: import_zod8.default.array(import_zod8.default.string()),
+  credentialSubject: import_zod8.default.optional(zW3cVcCredentialSubject)
+}).passthrough();
+var zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.transform(
+  ({ types, credentialSubject, ...rest }) => {
+    return {
+      ...rest,
+      credential_definition: {
+        type: types,
+        // Prevent weird typing issue with optional vs undefined
+        ...credentialSubject ? { credentialSubject } : {}
+      }
+    };
+  }
+);
+var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+  ...rest,
+  types: type,
+  ...credentialDefinition
+})).and(zJwtVcJsonCredentialRequestDraft11);
+
+// src/version.ts
+var Openid4vciDraftVersion = /* @__PURE__ */ ((Openid4vciDraftVersion2) => {
+  Openid4vciDraftVersion2["Draft14"] = "Draft14";
+  Openid4vciDraftVersion2["Draft11"] = "Draft11";
+  return Openid4vciDraftVersion2;
+})(Openid4vciDraftVersion || {});
+
+// src/metadata/credential-issuer/z-credential-issuer-metadata.ts
+var allCredentialIssuerMetadataFormats = [
+  zSdJwtVcCredentialIssuerMetadata,
+  zMsoMdocCredentialIssuerMetadata,
+  zJwtVcJsonLdCredentialIssuerMetadata,
+  zLdpVcCredentialIssuerMetadata,
+  zJwtVcJsonCredentialIssuerMetadata
+];
+var allCredentialIssuerMetadataFormatIdentifiers = allCredentialIssuerMetadataFormats.map(
+  (format) => format.shape.format.value
+);
+var zCredentialConfigurationSupportedWithFormats = zCredentialConfigurationSupportedCommon.transform(
+  (data, ctx) => {
+    if (!allCredentialIssuerMetadataFormatIdentifiers.includes(data.format)) return data;
+    const result = import_zod9.default.object({}).passthrough().and(import_zod9.default.discriminatedUnion("format", allCredentialIssuerMetadataFormats)).safeParse(data);
+    if (result.success) {
+      return result.data;
+    }
+    for (const issue of result.error.issues) {
+      ctx.addIssue(issue);
+    }
+    return import_zod9.default.NEVER;
+  }
+);
+var zCredentialIssuerMetadataDisplayEntry = import_zod9.default.object({
+  name: import_zod9.default.string().optional(),
+  locale: import_zod9.default.string().optional(),
+  logo: import_zod9.default.object({
+    // FIXME: make required again, but need to support draft 11 first
+    uri: import_zod9.default.string().optional(),
+    alt_text: import_zod9.default.string().optional()
+  }).passthrough().optional()
+}).passthrough();
+var zCredentialIssuerMetadataDraft14 = import_zod9.default.object({
+  credential_issuer: import_utils2.zHttpsUrl,
+  authorization_servers: import_zod9.default.array(import_utils2.zHttpsUrl).optional(),
+  credential_endpoint: import_utils2.zHttpsUrl,
+  deferred_credential_endpoint: import_utils2.zHttpsUrl.optional(),
+  notification_endpoint: import_utils2.zHttpsUrl.optional(),
+  // Added after draft 14, but needed for proper
+  nonce_endpoint: import_utils2.zHttpsUrl.optional(),
+  credential_response_encryption: import_zod9.default.object({
+    alg_values_supported: import_zod9.default.array(import_zod9.default.string()),
+    enc_values_supported: import_zod9.default.array(import_zod9.default.string()),
+    encryption_required: import_zod9.default.boolean()
+  }).passthrough().optional(),
+  batch_credential_issuance: import_zod9.default.object({
+    batch_size: import_zod9.default.number().positive()
+  }).passthrough().optional(),
+  signed_metadata: import_oauth22.zCompactJwt.optional(),
+  display: import_zod9.default.array(zCredentialIssuerMetadataDisplayEntry).optional(),
+  credential_configurations_supported: import_zod9.default.record(import_zod9.default.string(), zCredentialConfigurationSupportedWithFormats)
+}).passthrough();
+var zCredentialConfigurationSupportedDraft11To14 = import_zod9.default.object({
+  id: import_zod9.default.string().optional(),
+  format: import_zod9.default.string(),
+  cryptographic_suites_supported: import_zod9.default.array(import_zod9.default.string()).optional(),
+  display: import_zod9.default.array(
+    import_zod9.default.object({
+      logo: import_zod9.default.object({
+        url: import_zod9.default.string().url().optional()
+      }).passthrough().optional(),
+      background_image: import_zod9.default.object({
+        url: import_zod9.default.string().url().optional()
+      }).passthrough().optional()
+    }).passthrough()
+  ).optional()
+}).passthrough().transform(({ cryptographic_suites_supported, display, id, ...rest }) => ({
+  ...rest,
+  ...cryptographic_suites_supported ? { credential_signing_alg_values_supported: cryptographic_suites_supported } : {},
+  ...display ? {
+    display: display.map(({ logo, background_image, ...displayRest }) => ({
+      ...displayRest,
+      // url became uri and also required
+      // so if there's no url in the logo, we remove the whole logo object
+      ...logo?.url ? {
+        // TODO: we should add the other params from logo as well
+        logo: {
+          uri: logo.url
+        }
+      } : {},
+      // TODO: we should add the other params from background_image as well
+      // url became uri and also required
+      // so if there's no url in the background_image, we remove the whole logo object
+      ...background_image?.url ? {
+        background_image: {
+          uri: background_image.url
+        }
+      } : {}
+    }))
+  } : {}
+})).transform((data, ctx) => {
+  const formatSpecificTransformations = {
+    [zLdpVcFormatIdentifier.value]: zLdpVcCredentialIssuerMetadataDraft11To14,
+    [zJwtVcJsonFormatIdentifier.value]: zJwtVcJsonCredentialIssuerMetadataDraft11To14,
+    [zJwtVcJsonLdFormatIdentifier.value]: zJwtVcJsonLdCredentialIssuerMetadataDraft11To14
+  };
+  if (!Object.keys(formatSpecificTransformations).includes(data.format)) return data;
+  const schema = formatSpecificTransformations[data.format];
+  const result = schema.safeParse(data);
+  if (result.success) return result.data;
+  for (const issue of result.error.issues) {
+    ctx.addIssue(issue);
+  }
+  return import_zod9.default.NEVER;
+}).pipe(zCredentialConfigurationSupportedWithFormats);
+var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSupportedWithFormats.and(
+  import_zod9.default.object({
+    id: import_zod9.default.string()
+  }).passthrough()
+).transform(({ id, credential_signing_alg_values_supported, display, proof_types_supported, scope, ...rest }) => ({
+  ...rest,
+  ...credential_signing_alg_values_supported ? { cryptographic_suites_supported: credential_signing_alg_values_supported } : {},
+  ...display ? {
+    display: display.map(({ logo, background_image, ...displayRest }) => {
+      const { uri: logoUri, ...logoRest } = logo ?? {};
+      const { uri: backgroundImageUri, ...backgroundImageRest } = background_image ?? {};
+      return {
+        ...displayRest,
+        // draft 11 uses url, draft 13/14 uses uri
+        ...logoUri ? { logo: { url: logoUri, ...logoRest } } : {},
+        // draft 11 uses url, draft 13/14 uses uri
+        ...backgroundImageUri ? { logo: { url: backgroundImageUri, ...backgroundImageRest } } : {}
+      };
+    })
+  } : {},
+  id
+})).pipe(
+  import_zod9.default.union([
+    zLdpVcCredentialIssuerMetadataDraft14To11,
+    zJwtVcJsonCredentialIssuerMetadataDraft14To11,
+    zJwtVcJsonLdCredentialIssuerMetadataDraft14To11,
+    // To handle unrecognized formats and not error immediately we allow the common format as well
+    // but they can't use any of the foramt identifiers that have a specific transformation. This way if a format is
+    // has a transformation it NEEDS to use the format specific transformation, and otherwise we fall back to the common validation
+    import_zod9.default.object({
+      format: import_zod9.default.string().refine(
+        (input) => ![
+          zLdpVcFormatIdentifier.value,
+          zJwtVcJsonFormatIdentifier.value,
+          zJwtVcJsonLdFormatIdentifier.value
+        ].includes(input)
+      )
+    }).passthrough()
+  ])
+);
+var zCredentialIssuerMetadataDraft11To14 = import_zod9.default.object({
+  authorization_server: import_zod9.default.string().optional(),
+  credentials_supported: import_zod9.default.array(
+    import_zod9.default.object({
+      id: import_zod9.default.string().optional()
+    }).passthrough()
+  )
+}).passthrough().transform(({ authorization_server, credentials_supported, ...rest }) => {
+  return {
+    ...rest,
+    ...authorization_server ? { authorization_servers: [authorization_server] } : {},
+    // Go from array to map but keep v11 structure
+    credential_configurations_supported: Object.fromEntries(
+      credentials_supported.map((supported) => supported.id ? [supported.id, supported] : void 0).filter((i) => i !== void 0)
+    )
+  };
+}).pipe(
+  import_zod9.default.object({
+    // Update from v11 structrue to v14 structure
+    credential_configurations_supported: import_zod9.default.record(import_zod9.default.string(), zCredentialConfigurationSupportedDraft11To14)
+  }).passthrough()
+).pipe(zCredentialIssuerMetadataDraft14);
+var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14.transform((issuerMetadata) => ({
+  ...issuerMetadata,
+  ...issuerMetadata.authorization_servers ? { authorization_server: issuerMetadata.authorization_servers[0] } : {},
+  credentials_supported: Object.entries(issuerMetadata.credential_configurations_supported).map(([id, value]) => ({
+    ...value,
+    id
+  }))
+})).pipe(
+  zCredentialIssuerMetadataDraft14.extend({
+    credentials_supported: import_zod9.default.array(zCredentialConfigurationSupportedDraft14To11)
+  })
+);
+var zCredentialIssuerMetadata = import_zod9.default.union([
+  // First prioritize draft 14 (and 13)
+  zCredentialIssuerMetadataDraft14,
+  // Then try parsing draft 11 and transform into draft 14
+  zCredentialIssuerMetadataDraft11To14
+]);
+var zCredentialIssuerMetadataWithDraftVersion = import_zod9.default.union([
+  // First prioritize draft 14 (and 13)
+  zCredentialIssuerMetadataDraft14.transform((credentialIssuerMetadata) => ({
+    credentialIssuerMetadata,
+    originalDraftVersion: "Draft14" /* Draft14 */
+  })),
+  // Then try parsing draft 11 and transform into draft 14
+  zCredentialIssuerMetadataDraft11To14.transform((credentialIssuerMetadata) => ({
+    credentialIssuerMetadata,
+    originalDraftVersion: "Draft11" /* Draft11 */
+  }))
+]);
+
+// src/metadata/credential-issuer/credential-issuer-metadata.ts
+var wellKnownCredentialIssuerSuffix = ".well-known/openid-credential-issuer";
+async function fetchCredentialIssuerMetadata(credentialIssuer, fetch) {
+  const wellKnownMetadataUrl = (0, import_utils3.joinUriParts)(credentialIssuer, [wellKnownCredentialIssuerSuffix]);
+  const result = await (0, import_oauth23.fetchWellKnownMetadata)(wellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
+  if (result && result.credentialIssuerMetadata.credential_issuer !== credentialIssuer) {
+    throw new import_oauth23.Oauth2Error(
+      `The 'credential_issuer' parameter '${result.credentialIssuerMetadata.credential_issuer}' in the well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`
+    );
+  }
+  return result;
+}
+function extractKnownCredentialConfigurationSupportedFormats(credentialConfigurationsSupported) {
+  return Object.fromEntries(
+    Object.entries(credentialConfigurationsSupported).filter(
+      (entry) => allCredentialIssuerMetadataFormatIdentifiers.includes(entry[1].format)
+    )
+  );
+}
+
+// src/credential-request/credential-request-configurations.ts
+function getCredentialConfigurationsMatchingRequestFormat({
+  requestFormat,
+  credentialConfigurations
+}) {
+  const knownCredentialConfigurations = extractKnownCredentialConfigurationSupportedFormats(credentialConfigurations);
+  return Object.fromEntries(
+    Object.entries(knownCredentialConfigurations).filter(([, credentialConfiguration]) => {
+      if (credentialConfiguration.format !== requestFormat.format) return false;
+      const r = requestFormat;
+      const c = credentialConfiguration;
+      if ((c.format === "ldp_vc" || c.format === "jwt_vc_json-ld") && r.format === c.format) {
+        return (0, import_utils4.arrayEqualsIgnoreOrder)(r.credential_definition.type, c.credential_definition.type) && (0, import_utils4.arrayEqualsIgnoreOrder)(r.credential_definition["@context"], c.credential_definition["@context"]);
+      }
+      if (c.format === "jwt_vc_json" && r.format === c.format) {
+        return (0, import_utils4.arrayEqualsIgnoreOrder)(r.credential_definition.type, c.credential_definition.type);
+      }
+      if (c.format === "vc+sd-jwt" && r.format === c.format) {
+        return r.vct === c.vct;
+      }
+      if (c.format === "mso_mdoc" && r.format === c.format) {
+        return r.doctype === c.doctype;
+      }
+      return false;
+    })
+  );
+}
+
+// src/error/Openid4vciError.ts
+var Openid4vciError = class extends Error {
+  constructor(message, options) {
+    const errorMessage = message ?? "Unknown error occured.";
+    const causeMessage = options?.cause instanceof Error ? ` ${options.cause.message}` : options?.cause ? ` ${options?.cause}` : "";
+    super(`${errorMessage}${causeMessage}`);
+    this.cause = options?.cause;
+  }
+};
+
+// src/error/Openid4vciRetrieveCredentialsError.ts
+var Openid4vciRetrieveCredentialsError = class extends Openid4vciError {
+  constructor(message, response, responseText) {
+    super(
+      `${message}
+${JSON.stringify(response.credentialResponseResult?.data ?? response.credentialErrorResponseResult?.data ?? responseText, null, 2)}`
+    );
+    this.response = response;
+  }
+};
+
+// src/error/Openid4vciSendNotificationError.ts
+var Openid4vciSendNotificationError = class extends Openid4vciError {
+  constructor(message, response) {
+    super(message);
+    this.response = response;
+  }
+};
+
+// src/metadata/credential-issuer/credential-configurations.ts
+var import_oauth24 = require("@openid4vc/oauth2");
+var import_utils5 = require("@openid4vc/utils");
+function extractScopesForCredentialConfigurationIds(options) {
+  const scopes = /* @__PURE__ */ new Set();
+  for (const credentialConfigurationId of options.credentialConfigurationIds) {
+    const credentialConfiguration = options.issuerMetadata.credentialIssuer.credential_configurations_supported[credentialConfigurationId];
+    if (!credentialConfiguration) {
+      throw new import_oauth24.Oauth2Error(
+        `Credential configuration with id '${credentialConfigurationId}' not found in metadata from credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
+      );
+    }
+    const scope = credentialConfiguration.scope;
+    if (scope) scopes.add(scope);
+    else if (!scope && options.throwOnConfigurationWithoutScope) {
+      throw new import_oauth24.Oauth2Error(
+        `Credential configuration with id '${credentialConfigurationId}' does not have a 'scope' configured, and 'throwOnConfigurationWithoutScope' was enabled.`
+      );
+    }
+  }
+  return scopes.size > 0 ? Array.from(scopes) : void 0;
+}
+function credentialsSupportedToCredentialConfigurationsSupported(credentialsSupported) {
+  const credentialConfigurationsSupported = {};
+  for (let index = 0; index < credentialsSupported.length; index++) {
+    const credentialSupported = credentialsSupported[index];
+    if (!credentialSupported.id) {
+      throw new Openid4vciError(
+        `Credential supported at index '${index}' does not have an 'id' property. Credential configuration requires the 'id' property as key`
+      );
+    }
+    const parseResult = zCredentialConfigurationSupportedDraft11To14.safeParse(credentialSupported);
+    if (!parseResult.success) {
+      throw new import_utils5.ValidationError(
+        `Error transforming credential supported with id '${credentialSupported.id}' to credential configuration supported format`,
+        parseResult.error
+      );
+    }
+    credentialConfigurationsSupported[credentialSupported.id] = parseResult.data;
+  }
+  return credentialConfigurationsSupported;
+}
+
+// src/Openid4vciClient.ts
+var import_oauth218 = require("@openid4vc/oauth2");
+
+// src/credential-offer/credential-offer.ts
+var import_oauth26 = require("@openid4vc/oauth2");
+var import_utils6 = require("@openid4vc/utils");
+
+// src/credential-offer/z-credential-offer.ts
+var import_oauth25 = require("@openid4vc/oauth2");
+var import_zod11 = __toESM(require("zod"));
+
+// ../utils/src/validation.ts
+var import_zod10 = __toESM(require("zod"));
+
+// ../utils/src/config.ts
+var GLOBAL_CONFIG = {
+  allowInsecureUrls: false
+};
+function getGlobalConfig() {
+  return GLOBAL_CONFIG;
+}
+
+// ../utils/src/validation.ts
+var zHttpsUrl2 = import_zod10.default.string().url().refine(
+  (url) => {
+    const { allowInsecureUrls } = getGlobalConfig();
+    return allowInsecureUrls ? url.startsWith("http://") || url.startsWith("https://") : url.startsWith("https://");
+  },
+  { message: "url must be an https:// url" }
+);
+var zInteger2 = import_zod10.default.number().int();
+var zHttpMethod = import_zod10.default.enum(["GET", "POST", "PUT", "DELETE", "HEAD", "OPTIONS", "TRACE", "CONNECT", "PATCH"]);
+
+// src/credential-offer/z-credential-offer.ts
+var zTxCode = import_zod11.default.object({
+  input_mode: import_zod11.default.union([import_zod11.default.literal("numeric"), import_zod11.default.literal("text")]).optional(),
+  length: import_zod11.default.number().int().optional(),
+  description: import_zod11.default.string().max(300).optional()
+}).passthrough();
+var zCredentialOfferGrants = import_zod11.default.object({
+  authorization_code: import_zod11.default.object({
+    issuer_state: import_zod11.default.string().optional(),
+    authorization_server: zHttpsUrl2.optional()
+  }).passthrough().optional(),
+  [import_oauth25.preAuthorizedCodeGrantIdentifier]: import_zod11.default.object({
+    "pre-authorized_code": import_zod11.default.string(),
+    tx_code: zTxCode.optional(),
+    authorization_server: zHttpsUrl2.optional()
+  }).passthrough().optional()
+}).passthrough();
+var zCredentialOfferObjectDraft14 = import_zod11.default.object({
+  credential_issuer: zHttpsUrl2,
+  credential_configuration_ids: import_zod11.default.array(import_zod11.default.string()),
+  grants: import_zod11.default.optional(zCredentialOfferGrants)
+}).passthrough();
+var zCredentialOfferObjectDraft11To14 = import_zod11.default.object({
+  credential_issuer: zHttpsUrl2,
+  // We don't support the inline offer objects from draft 11
+  credentials: import_zod11.default.array(
+    import_zod11.default.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })
+  ),
+  grants: import_zod11.default.optional(
+    import_zod11.default.object({
+      // Has extra param in draft 14, but doesn't matter for transform purposes
+      authorization_code: zCredentialOfferGrants.shape.authorization_code,
+      [import_oauth25.preAuthorizedCodeGrantIdentifier]: import_zod11.default.object({
+        "pre-authorized_code": import_zod11.default.string(),
+        user_pin_required: import_zod11.default.optional(import_zod11.default.boolean())
+      }).passthrough().optional()
+    })
+  )
+}).passthrough().transform(({ credentials, grants, ...rest }) => {
+  const v14 = {
+    ...rest,
+    credential_configuration_ids: credentials
+  };
+  if (grants) {
+    v14.grants = { ...grants };
+    if (grants[import_oauth25.preAuthorizedCodeGrantIdentifier]) {
+      const { user_pin_required, ...restGrants } = grants[import_oauth25.preAuthorizedCodeGrantIdentifier];
+      v14.grants[import_oauth25.preAuthorizedCodeGrantIdentifier] = {
+        ...restGrants
+      };
+      if (user_pin_required) {
+        v14.grants[import_oauth25.preAuthorizedCodeGrantIdentifier].tx_code = {
+          input_mode: "text"
+        };
+      }
+    }
+  }
+  return v14;
+}).pipe(zCredentialOfferObjectDraft14);
+var zCredentialOfferObject = import_zod11.default.union([
+  // First prioritize draft 14 (and 13)
+  zCredentialOfferObjectDraft14,
+  // Then try parsing draft 11 and transform into draft 14
+  zCredentialOfferObjectDraft11To14
+]);
+
+// src/credential-offer/credential-offer.ts
+async function resolveCredentialOffer(credentialOffer, options) {
+  const parsedQueryParams = (0, import_utils6.getQueryParams)(credentialOffer);
+  let credentialOfferParseResult;
+  if (parsedQueryParams.credential_offer_uri) {
+    const fetchWithZod = (0, import_utils6.createZodFetcher)(options?.fetch);
+    const { response, result } = await fetchWithZod(
+      zCredentialOfferObject,
+      import_utils6.ContentType.Json,
+      parsedQueryParams.credential_offer_uri
+    );
+    if (!response.ok || !result) {
+      throw new import_oauth26.InvalidFetchResponseError(
+        `Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccesfull response with status '${response.status}'`,
+        await response.clone().text(),
+        response
+      );
+    }
+    credentialOfferParseResult = result;
+  } else if (parsedQueryParams.credential_offer) {
+    let credentialOfferJson;
+    try {
+      credentialOfferJson = JSON.parse(decodeURIComponent(parsedQueryParams.credential_offer));
+    } catch (error) {
+      throw new import_oauth26.Oauth2Error(`Error parsing JSON from 'credential_offer' param in credential offer '${credentialOffer}'`);
+    }
+    credentialOfferParseResult = zCredentialOfferObject.safeParse(credentialOfferJson);
+  } else {
+    throw new import_oauth26.Oauth2Error(`Credential offer did not contain either 'credential_offer' or 'credential_offer_uri' param.`);
+  }
+  if (credentialOfferParseResult.error) {
+    throw new import_utils6.ValidationError(
+      `Error parsing credential offer in draft 11, 13 or 14 format extracted from credential offer '${credentialOffer}'`,
+      credentialOfferParseResult.error
+    );
+  }
+  return credentialOfferParseResult.data;
+}
+function determineAuthorizationServerForCredentialOffer(options) {
+  const authorizationServers = options.issuerMetadata.credentialIssuer.authorization_servers;
+  let authorizationServer;
+  if (options.grantAuthorizationServer) {
+    authorizationServer = options.grantAuthorizationServer;
+    if (!authorizationServers) {
+      throw new import_oauth26.Oauth2Error(
+        `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not have an 'authorization_servers' property to match the value against.`
+      );
+    }
+    if (!authorizationServers.includes(authorizationServer)) {
+      throw new import_oauth26.Oauth2Error(
+        `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not include this authorization server. Available 'authorization_server' values are ${authorizationServers.join(", ")}.`
+      );
+    }
+  } else if (!authorizationServers) {
+    authorizationServer = options.issuerMetadata.credentialIssuer.credential_issuer;
+  } else {
+    if (authorizationServers.length === 0) {
+      throw new import_oauth26.Oauth2Error(`Credential issuer metadata has 'authorization_servers' value with length of 0`);
+    }
+    if (authorizationServers.length > 1) {
+      throw new import_oauth26.Oauth2Error(
+        `Credential issuer metadata has 'authorization_server' with multiple entries, but the credential offer grant did not specify which authorization server to use.`
+      );
+    }
+    authorizationServer = authorizationServers[0];
+  }
+  return authorizationServer;
+}
+async function createCredentialOffer(options) {
+  const {
+    [import_oauth26.preAuthorizedCodeGrantIdentifier]: preAuthorizedCodeGrant,
+    [import_oauth26.authorizationCodeGrantIdentifier]: authorizationCodeGrant,
+    ...restGrants
+  } = options.grants;
+  const grants = { ...restGrants };
+  if (authorizationCodeGrant) {
+    determineAuthorizationServerForCredentialOffer({
+      issuerMetadata: options.issuerMetadata,
+      grantAuthorizationServer: authorizationCodeGrant.authorization_server
+    });
+    grants[import_oauth26.authorizationCodeGrantIdentifier] = authorizationCodeGrant;
+  }
+  if (preAuthorizedCodeGrant) {
+    determineAuthorizationServerForCredentialOffer({
+      issuerMetadata: options.issuerMetadata,
+      grantAuthorizationServer: preAuthorizedCodeGrant.authorization_server
+    });
+    grants[import_oauth26.preAuthorizedCodeGrantIdentifier] = {
+      ...preAuthorizedCodeGrant,
+      "pre-authorized_code": preAuthorizedCodeGrant["pre-authorized_code"] ?? (0, import_utils6.encodeToBase64Url)(await options.callbacks.generateRandom(32))
+    };
+    const txCode = grants[import_oauth26.preAuthorizedCodeGrantIdentifier].tx_code;
+    if (txCode && options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
+      grants[import_oauth26.preAuthorizedCodeGrantIdentifier].user_pin_required = txCode !== void 0;
+    }
+  }
+  const idsNotInMetadata = options.credentialConfigurationIds.filter(
+    (id) => options.issuerMetadata.credentialIssuer.credential_configurations_supported[id] === void 0
+  );
+  if (idsNotInMetadata.length > 0) {
+    throw new import_oauth26.Oauth2Error(
+      `Credential configuration ids ${idsNotInMetadata} not found in the credential issuer metadata 'credential_configurations_supported'. Available ids are ${Object.keys(options.issuerMetadata.credentialIssuer.credential_configurations_supported).join(", ")}.`
+    );
+  }
+  const credentialOfferScheme = options.credentialOfferScheme ?? "openid-credential-offer://";
+  const credentialOfferObject = (0, import_utils6.parseWithErrorHandling)(zCredentialOfferObject, {
+    credential_issuer: options.issuerMetadata.credentialIssuer.credential_issuer,
+    credential_configuration_ids: options.credentialConfigurationIds,
+    grants,
+    ...options.additionalPayload
+  });
+  if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
+    credentialOfferObject.credentials = credentialOfferObject.credential_configuration_ids;
+  }
+  const url = new import_utils6.URL(credentialOfferScheme);
+  url.search = `?${new import_utils6.URLSearchParams([
+    ...url.searchParams.entries(),
+    ...(0, import_utils6.objectToQueryParams)({
+      credential_offer_uri: options.credentialOfferUri,
+      // Only add credential_offer is uri is undefined
+      credential_offer: options.credentialOfferUri ? void 0 : credentialOfferObject
+    }).entries()
+  ]).toString()}`;
+  return {
+    credentialOffer: url.toString(),
+    credentialOfferObject
+  };
+}
+
+// src/credential-request/format-payload.ts
+var import_utils7 = require("@openid4vc/utils");
+function getCredentialRequestFormatPayloadForCredentialConfigurationId(options) {
+  const credentialConfiguration = options.issuerMetadata.credentialIssuer.credential_configurations_supported[options.credentialConfigurationId];
+  if (!credentialConfiguration) {
+    throw new Openid4vciError(
+      `Could not find credential configuration with id '${options.credentialConfigurationId}' in metadata of credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'.`
+    );
+  }
+  if ((0, import_utils7.zIs)(zSdJwtVcCredentialIssuerMetadata, credentialConfiguration)) {
+    return {
+      format: credentialConfiguration.format,
+      vct: credentialConfiguration.vct
+    };
+  }
+  if ((0, import_utils7.zIs)(zMsoMdocCredentialIssuerMetadata, credentialConfiguration)) {
+    return {
+      format: credentialConfiguration.format,
+      doctype: credentialConfiguration.doctype
+    };
+  }
+  if ((0, import_utils7.zIs)(zLdpVcCredentialIssuerMetadata, credentialConfiguration)) {
+    return {
+      format: credentialConfiguration.format,
+      credential_definition: {
+        "@context": credentialConfiguration.credential_definition["@context"],
+        type: credentialConfiguration.credential_definition.type
+      }
+    };
+  }
+  if ((0, import_utils7.zIs)(zJwtVcJsonLdCredentialIssuerMetadata, credentialConfiguration)) {
+    return {
+      format: credentialConfiguration.format,
+      credential_definition: {
+        "@context": credentialConfiguration.credential_definition["@context"],
+        type: credentialConfiguration.credential_definition.type
+      }
+    };
+  }
+  if ((0, import_utils7.zIs)(zJwtVcJsonCredentialIssuerMetadata, credentialConfiguration)) {
+    return {
+      format: credentialConfiguration.format,
+      credential_definition: {
+        type: credentialConfiguration.credential_definition.type
+      }
+    };
+  }
+  throw new Openid4vciError(
+    `Unknown format '${credentialConfiguration.format}' in credential configuration with id '${options.credentialConfigurationId}' for credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
+  );
+}
+
+// src/credential-request/retrieve-credentials.ts
+var import_oauth210 = require("@openid4vc/oauth2");
+var import_utils9 = require("@openid4vc/utils");
+
+// src/credential-request/z-credential-request.ts
+var import_zod15 = __toESM(require("zod"));
+
+// src/credential-request/z-credential-request-common.ts
+var import_oauth29 = require("@openid4vc/oauth2");
+var import_zod14 = __toESM(require("zod"));
+
+// src/formats/proof-type/jwt/z-jwt-proof-type.ts
+var import_oauth27 = require("@openid4vc/oauth2");
+var import_utils8 = require("@openid4vc/utils");
+var import_zod12 = __toESM(require("zod"));
+var zJwtProofTypeIdentifier = import_zod12.default.literal("jwt");
+var jwtProofTypeIdentifier = zJwtProofTypeIdentifier.value;
+var zCredentialRequestProofJwt = import_zod12.default.object({
+  proof_type: zJwtProofTypeIdentifier,
+  jwt: import_oauth27.zCompactJwt
+});
+var zCredentialRequestJwtProofTypeHeader = import_oauth27.zJwtHeader.merge(
+  import_zod12.default.object({
+    key_attestation: import_zod12.default.optional(import_oauth27.zCompactJwt),
+    typ: import_zod12.default.literal("openid4vci-proof+jwt")
+  })
+).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
+  message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
+}).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
+  message: `When 'trust_chain' is provided, 'kid' is required`
+});
+var zCredentialRequestJwtProofTypePayload = import_zod12.default.object({
+  ...import_oauth27.zJwtPayload.shape,
+  aud: import_utils8.zHttpsUrl,
+  iat: import_utils8.zInteger
+}).passthrough();
+
+// src/formats/proof-type/attestation/z-attestation-proof-type.ts
+var import_oauth28 = require("@openid4vc/oauth2");
+var import_zod13 = __toESM(require("zod"));
+var zAttestationProofTypeIdentifier = import_zod13.default.literal("attestation");
+var attestationProofTypeIdentifier = zAttestationProofTypeIdentifier.value;
+var zCredentialRequestProofAttestation = import_zod13.default.object({
+  proof_type: zAttestationProofTypeIdentifier,
+  attestation: import_oauth28.zCompactJwt
+});
+var zCredentialRequestAttestationProofTypePayload = zKeyAttestationJwtPayloadForUse("proof_type.attestation");
+
+// src/credential-request/z-credential-request-common.ts
+var zCredentialRequestProofCommon = import_zod14.default.object({
+  proof_type: import_zod14.default.string()
+}).passthrough();
+var allCredentialRequestProofs = [zCredentialRequestProofJwt, zCredentialRequestProofAttestation];
+var zCredentialRequestProof = import_zod14.default.union([
+  zCredentialRequestProofCommon,
+  import_zod14.default.discriminatedUnion("proof_type", allCredentialRequestProofs)
+]);
+var zCredentialRequestProofsCommon = import_zod14.default.record(import_zod14.default.string(), import_zod14.default.array(import_zod14.default.unknown()));
+var zCredentialRequestProofs = import_zod14.default.object({
+  [zJwtProofTypeIdentifier.value]: import_zod14.default.optional(import_zod14.default.array(zCredentialRequestProofJwt.shape.jwt)),
+  [zAttestationProofTypeIdentifier.value]: import_zod14.default.optional(import_zod14.default.array(zCredentialRequestProofAttestation.shape.attestation))
+});
+var zCredentialRequestCommon = import_zod14.default.object({
+  proof: zCredentialRequestProof.optional(),
+  proofs: import_zod14.default.optional(
+    import_zod14.default.intersection(zCredentialRequestProofsCommon, zCredentialRequestProofs).refine((proofs) => Object.values(proofs).length === 1, {
+      message: `The 'proofs' object in a credential request should contain exactly one attribute`
+    })
+  ),
+  credential_response_encryption: import_zod14.default.object({
+    jwk: import_oauth29.zJwk,
+    alg: import_zod14.default.string(),
+    enc: import_zod14.default.string()
+  }).passthrough().optional()
+}).passthrough().refine(({ proof, proofs }) => !(proof !== void 0 && proofs !== void 0), {
+  message: `Both 'proof' and 'proofs' are defined. Only one is allowed`
+});
+
+// src/credential-request/z-credential-request.ts
+var allCredentialRequestFormats = [
+  zSdJwtVcCredentialRequestFormat,
+  zMsoMdocCredentialRequestFormat,
+  zLdpVcCredentialRequestFormat,
+  zJwtVcJsonLdCredentialRequestFormat,
+  zJwtVcJsonCredentialRequestFormat
+];
+var allCredentialRequestFormatIdentifiers = allCredentialRequestFormats.map(
+  (format) => format.shape.format.value
+);
+var zAuthorizationDetailsCredentialRequest = import_zod15.default.object({
+  credential_identifier: import_zod15.default.string(),
+  // Cannot be present if credential identifier is present
+  format: import_zod15.default.never({ message: "'format' cannot be defined when 'credential_identifier' is set." }).optional()
+});
+var zCredentialRequestFormatNoCredentialIdentifier = import_zod15.default.object({
+  format: import_zod15.default.string(),
+  credential_identifier: import_zod15.default.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional()
+}).passthrough();
+var zCredenialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormatNoCredentialIdentifier).transform((data, ctx) => {
+  if (!allCredentialRequestFormatIdentifiers.includes(data.format)) return data;
+  const result = import_zod15.default.object({}).passthrough().and(import_zod15.default.discriminatedUnion("format", allCredentialRequestFormats)).safeParse(data);
+  if (result.success) {
+    return result.data;
+  }
+  for (const issue of result.error.issues) {
+    ctx.addIssue(issue);
+  }
+  return import_zod15.default.NEVER;
+});
+var zCredentialRequestDraft14 = import_zod15.default.union([
+  zCredenialRequestDraft14WithFormat,
+  zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest)
+]);
+var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequestFormatNoCredentialIdentifier).transform((data, ctx) => {
+  const formatSpecificTransformations = {
+    [zLdpVcFormatIdentifier.value]: zLdpVcCredentialRequestDraft11To14,
+    [zJwtVcJsonFormatIdentifier.value]: zJwtVcJsonCredentialRequestDraft11To14,
+    [zJwtVcJsonLdFormatIdentifier.value]: zJwtVcJsonLdCredentialRequestDraft11To14
+  };
+  if (!Object.keys(formatSpecificTransformations).includes(data.format)) return data;
+  const schema = formatSpecificTransformations[data.format];
+  const result = schema.safeParse(data);
+  if (result.success) return result.data;
+  for (const issue of result.error.issues) {
+    ctx.addIssue(issue);
+  }
+  return import_zod15.default.NEVER;
+}).pipe(zCredentialRequestDraft14);
+var zCredentialRequestDraft14To11 = zCredentialRequestDraft14.refine(
+  (data) => data.credential_identifier === void 0,
+  `'credential_identifier' is not supported in OpenID4VCI draft 11`
+).transform((data, ctx) => {
+  const formatSpecificTransformations = {
+    [zLdpVcFormatIdentifier.value]: zLdpVcCredentialRequestDraft14To11,
+    [zJwtVcJsonFormatIdentifier.value]: zJwtVcJsonCredentialRequestDraft14To11,
+    [zJwtVcJsonLdFormatIdentifier.value]: zJwtVcJsonLdCredentialRequestDraft14To11
+  };
+  if (!Object.keys(formatSpecificTransformations).includes(data.format)) return data;
+  const schema = formatSpecificTransformations[data.format];
+  const result = schema.safeParse(data);
+  if (result.success) return result.data;
+  for (const issue of result.error.issues) {
+    ctx.addIssue(issue);
+  }
+  return import_zod15.default.NEVER;
+});
+var zCredentialRequest = import_zod15.default.union([zCredentialRequestDraft14, zCredentialRequestDraft11To14]);
+
+// src/credential-request/z-credential-response.ts
+var import_zod17 = __toESM(require("zod"));
+
+// ../oauth2/src/common/z-oauth2-error.ts
+var import_zod16 = __toESM(require("zod"));
+var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes4) => {
+  Oauth2ErrorCodes4["ServerError"] = "server_error";
+  Oauth2ErrorCodes4["InvalidTarget"] = "invalid_target";
+  Oauth2ErrorCodes4["InvalidRequest"] = "invalid_request";
+  Oauth2ErrorCodes4["InvalidToken"] = "invalid_token";
+  Oauth2ErrorCodes4["InsufficientScope"] = "insufficient_scope";
+  Oauth2ErrorCodes4["InvalidGrant"] = "invalid_grant";
+  Oauth2ErrorCodes4["InvalidClient"] = "invalid_client";
+  Oauth2ErrorCodes4["UnauthorizedClient"] = "unauthorized_client";
+  Oauth2ErrorCodes4["UnsupportedGrantType"] = "unsupported_grant_type";
+  Oauth2ErrorCodes4["InvalidScope"] = "invalid_scope";
+  Oauth2ErrorCodes4["InvalidDpopProof"] = "invalid_dpop_proof";
+  Oauth2ErrorCodes4["UseDpopNonce"] = "use_dpop_nonce";
+  Oauth2ErrorCodes4["RedirectToWeb"] = "redirect_to_web";
+  Oauth2ErrorCodes4["InvalidSession"] = "invalid_session";
+  Oauth2ErrorCodes4["InsufficientAuthorization"] = "insufficient_authorization";
+  Oauth2ErrorCodes4["InvalidCredentialRequest"] = "invalid_credential_request";
+  Oauth2ErrorCodes4["CredentialRequestDenied"] = "credential_request_denied";
+  Oauth2ErrorCodes4["UnsupportedCredentialType"] = "unsupported_credential_type";
+  Oauth2ErrorCodes4["UnsupportedCredentialFormat"] = "unsupported_credential_format";
+  Oauth2ErrorCodes4["InvalidProof"] = "invalid_proof";
+  Oauth2ErrorCodes4["InvalidNonce"] = "invalid_nonce";
+  Oauth2ErrorCodes4["InvalidEncryptionParameters"] = "invalid_encryption_parameters";
+  Oauth2ErrorCodes4["InvalidRequestUri"] = "invalid_request_uri";
+  Oauth2ErrorCodes4["InvalidRequestObject"] = "invalid_request_object";
+  Oauth2ErrorCodes4["RequestNotSupported"] = "request_not_supported";
+  Oauth2ErrorCodes4["RequestUriNotSupported"] = "request_uri_not_supported";
+  Oauth2ErrorCodes4["VpFormatsNotSupported"] = "vp_formats_not_supported";
+  Oauth2ErrorCodes4["AccessDenied"] = "access_denied";
+  Oauth2ErrorCodes4["InvalidPresentationDefinitionUri"] = "invalid_presentation_definition_uri";
+  Oauth2ErrorCodes4["InvalidPresentationDefinitionReference"] = "invalid_presentation_definition_reference";
+  Oauth2ErrorCodes4["InvalidRequestUriMethod"] = "invalid_request_uri_method";
+  Oauth2ErrorCodes4["InvalidTransactionData"] = "invalid_transaction_data";
+  Oauth2ErrorCodes4["WalletUnavailable"] = "wallet_unavailable";
+  return Oauth2ErrorCodes4;
+})(Oauth2ErrorCodes || {});
+var zOauth2ErrorResponse = import_zod16.default.object({
+  error: import_zod16.default.union([import_zod16.default.nativeEnum(Oauth2ErrorCodes), import_zod16.default.string()]),
+  error_description: import_zod16.default.string().optional(),
+  error_uri: import_zod16.default.string().optional()
+}).passthrough();
+
+// src/credential-request/z-credential-response.ts
+var zCredentialEncoding = import_zod17.default.union([import_zod17.default.string(), import_zod17.default.record(import_zod17.default.string(), import_zod17.default.any())]);
+var zCredentialResponse = import_zod17.default.object({
+  credential: import_zod17.default.optional(zCredentialEncoding),
+  credentials: import_zod17.default.optional(import_zod17.default.array(zCredentialEncoding)),
+  transaction_id: import_zod17.default.string().optional(),
+  c_nonce: import_zod17.default.string().optional(),
+  c_nonce_expires_in: import_zod17.default.number().int().optional(),
+  notification_id: import_zod17.default.string().optional()
+}).passthrough().refine(
+  (value) => {
+    const { credential, credentials, transaction_id } = value;
+    return [credential, credentials, transaction_id].filter((i) => i !== void 0).length === 1;
+  },
+  {
+    message: `Exactly one of 'credential', 'credentials', or 'transaction_id' MUST be defined.`
+  }
+);
+var zCredentialErrorResponse = import_zod17.default.object({
+  ...zOauth2ErrorResponse.shape,
+  c_nonce: import_zod17.default.string().optional(),
+  c_nonce_expires_in: import_zod17.default.number().int().optional()
+}).passthrough();
+
+// src/credential-request/retrieve-credentials.ts
+async function retrieveCredentialsWithFormat(options) {
+  const credentialRequest = {
+    ...options.formatPayload,
+    ...options.additionalRequestPayload,
+    proof: options.proof,
+    proofs: options.proofs
+  };
+  return retrieveCredentials({
+    callbacks: options.callbacks,
+    credentialRequest,
+    issuerMetadata: options.issuerMetadata,
+    accessToken: options.accessToken,
+    dpop: options.dpop
+  });
+}
+async function retrieveCredentials(options) {
+  const credentialEndpoint = options.issuerMetadata.credentialIssuer.credential_endpoint;
+  let credentialRequest = (0, import_utils9.parseWithErrorHandling)(
+    zCredentialRequest,
+    options.credentialRequest,
+    "Error validating credential request"
+  );
+  if (credentialRequest.proofs) {
+    const { batch_credential_issuance } = options.issuerMetadata.credentialIssuer;
+    if (!batch_credential_issuance) {
+      throw new import_oauth210.Oauth2Error(
+        `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' does not support batch credential issuance using the 'proofs' request property. Only 'proof' is supported.`
+      );
+    }
+    const proofs = Object.values(credentialRequest.proofs)[0];
+    if (proofs.length > batch_credential_issuance.batch_size) {
+      throw new import_oauth210.Oauth2Error(
+        `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' supports batch issuance, but the max batch size is '${batch_credential_issuance.batch_size}'. A total of '${proofs.length}' proofs were provided.`
+      );
+    }
+  }
+  if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
+    credentialRequest = (0, import_utils9.parseWithErrorHandling)(
+      zCredentialRequestDraft14To11,
+      credentialRequest,
+      `Error transforming credential request from ${"Draft14" /* Draft14 */} to ${"Draft11" /* Draft11 */}`
+    );
+  }
+  const resourceResponse = await (0, import_oauth210.resourceRequest)({
+    dpop: options.dpop,
+    accessToken: options.accessToken,
+    callbacks: options.callbacks,
+    url: credentialEndpoint,
+    requestOptions: {
+      method: "POST",
+      headers: {
+        "Content-Type": import_utils9.ContentType.Json
+      },
+      body: JSON.stringify(credentialRequest)
+    }
+  });
+  if (!resourceResponse.ok) {
+    const credentialErrorResponseResult = (0, import_utils9.isResponseContentType)(import_utils9.ContentType.Json, resourceResponse.response) ? zCredentialErrorResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
+    return {
+      ...resourceResponse,
+      credentialErrorResponseResult
+    };
+  }
+  const credentialResponseResult = (0, import_utils9.isResponseContentType)(import_utils9.ContentType.Json, resourceResponse.response) ? zCredentialResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
+  if (!credentialResponseResult?.success) {
+    return {
+      ...resourceResponse,
+      ok: false,
+      credentialResponseResult
+    };
+  }
+  return {
+    ...resourceResponse,
+    credentialResponse: credentialResponseResult.data
+  };
+}
+
+// src/formats/proof-type/jwt/jwt-proof-type.ts
+var import_oauth213 = require("@openid4vc/oauth2");
+var import_oauth214 = require("@openid4vc/oauth2");
+var import_utils11 = require("@openid4vc/utils");
+
+// src/key-attestation/key-attestation.ts
+var import_oauth211 = require("@openid4vc/oauth2");
+var import_oauth212 = require("@openid4vc/oauth2");
+var import_utils10 = require("@openid4vc/utils");
+async function verifyKeyAttestationJwt(options) {
+  const { header, payload } = (0, import_oauth211.decodeJwt)({
+    jwt: options.keyAttestationJwt,
+    headerSchema: zKeyAttestationJwtHeader,
+    payloadSchema: zKeyAttestationJwtPayloadForUse(options.use)
+  });
+  const now = options.now?.getTime() ?? Date.now();
+  if (options.nonceExpiresAt && now > options.nonceExpiresAt.getTime()) {
+    throw new Openid4vciError("Nonce used for key attestation jwt expired");
+  }
+  const { signer } = await (0, import_oauth212.verifyJwt)({
+    compact: options.keyAttestationJwt,
+    header,
+    payload,
+    signer: (0, import_oauth212.jwtSignerFromJwt)({ header, payload }),
+    verifyJwtCallback: options.callbacks.verifyJwt,
+    errorMessage: "Error verifiying key attestation jwt",
+    expectedNonce: options.expectedNonce,
+    now: options.now
+  });
+  return {
+    header,
+    payload,
+    signer
+  };
+}
+
+// src/formats/proof-type/jwt/jwt-proof-type.ts
+async function createCredentialRequestJwtProof(options) {
+  const header = (0, import_utils11.parseWithErrorHandling)(zCredentialRequestJwtProofTypeHeader, {
+    ...(0, import_oauth213.jwtHeaderFromJwtSigner)(options.signer),
+    key_attestation: options.keyAttestationJwt,
+    typ: "openid4vci-proof+jwt"
+  });
+  const payload = (0, import_utils11.parseWithErrorHandling)(zCredentialRequestJwtProofTypePayload, {
+    nonce: options.nonce,
+    aud: options.credentialIssuer,
+    iat: (0, import_utils11.dateToSeconds)(options.issuedAt),
+    iss: options.clientId
+  });
+  const { jwt, signerJwk } = await options.callbacks.signJwt(options.signer, { header, payload });
+  if (options.keyAttestationJwt) {
+    const decodedKeyAttestation = (0, import_oauth213.decodeJwt)({
+      jwt: options.keyAttestationJwt,
+      headerSchema: zKeyAttestationJwtHeader,
+      payloadSchema: zKeyAttestationJwtPayload
+    });
+    const isSigedWithAttestedKey = await (0, import_oauth213.isJwkInSet)({
+      jwk: signerJwk,
+      jwks: decodedKeyAttestation.payload.attested_keys,
+      callbacks: options.callbacks
+    });
+    if (!isSigedWithAttestedKey) {
+      throw new Openid4vciError(
+        `Credential request jwt proof is not signed with a key in the 'key_attestation' jwt payload 'attested_keys'`
+      );
+    }
+  }
+  return jwt;
+}
+async function verifyCredentialRequestJwtProof(options) {
+  const { header, payload } = (0, import_oauth213.decodeJwt)({
+    jwt: options.jwt,
+    headerSchema: zCredentialRequestJwtProofTypeHeader,
+    payloadSchema: zCredentialRequestJwtProofTypePayload
+  });
+  const now = options.now?.getTime() ?? Date.now();
+  if (options.nonceExpiresAt && now > options.nonceExpiresAt.getTime()) {
+    throw new Openid4vciError("Nonce used for credential request proof expired");
+  }
+  const { signer } = await (0, import_oauth214.verifyJwt)({
+    compact: options.jwt,
+    header,
+    payload,
+    signer: (0, import_oauth214.jwtSignerFromJwt)({ header, payload }),
+    verifyJwtCallback: options.callbacks.verifyJwt,
+    errorMessage: "Error verifiying credential request proof jwt",
+    expectedNonce: options.expectedNonce,
+    expectedAudience: options.credentialIssuer,
+    expectedIssuer: options.clientId,
+    now: options.now
+  });
+  let keyAttestationResult = void 0;
+  if (header.key_attestation) {
+    keyAttestationResult = await verifyKeyAttestationJwt({
+      callbacks: options.callbacks,
+      keyAttestationJwt: header.key_attestation,
+      use: "proof_type.jwt"
+    });
+    const isSigedWithAttestedKey = await (0, import_oauth213.isJwkInSet)({
+      jwk: signer.publicJwk,
+      jwks: keyAttestationResult.payload.attested_keys,
+      callbacks: options.callbacks
+    });
+    if (!isSigedWithAttestedKey) {
+      throw new Openid4vciError(
+        `Credential request jwt proof is not signed with a key in the 'key_attestation' jwt payload 'attested_keys'`
+      );
+    }
+  }
+  return {
+    header,
+    payload,
+    signer,
+    keyAttestation: keyAttestationResult
+  };
+}
+
+// src/metadata/fetch-issuer-metadata.ts
+var import_oauth215 = require("@openid4vc/oauth2");
+var import_utils12 = require("@openid4vc/utils");
+async function resolveIssuerMetadata(credentialIssuer, options) {
+  const allowAuthorizationMetadataFromCredentialIssuerMetadata = options?.allowAuthorizationMetadataFromCredentialIssuerMetadata ?? true;
+  const credentialIssuerMetadataWithDraftVersion = await fetchCredentialIssuerMetadata(credentialIssuer, options?.fetch);
+  if (!credentialIssuerMetadataWithDraftVersion) {
+    throw new import_oauth215.Oauth2Error(`Well known credential issuer metadata for issuer '${credentialIssuer}' not found.`);
+  }
+  const { credentialIssuerMetadata, originalDraftVersion } = credentialIssuerMetadataWithDraftVersion;
+  const authorizationServers = credentialIssuerMetadata.authorization_servers ?? [credentialIssuer];
+  const authoriationServersMetadata = [];
+  for (const authorizationServer of authorizationServers) {
+    if (options?.restrictToAuthorizationServers && !options.restrictToAuthorizationServers.includes(authorizationServer)) {
+      continue;
+    }
+    let authorizationServerMetadata = await (0, import_oauth215.fetchAuthorizationServerMetadata)(authorizationServer, options?.fetch);
+    if (!authorizationServerMetadata && authorizationServer === credentialIssuer && allowAuthorizationMetadataFromCredentialIssuerMetadata) {
+      authorizationServerMetadata = (0, import_utils12.parseWithErrorHandling)(
+        import_oauth215.zAuthorizationServerMetadata,
+        {
+          token_endpoint: credentialIssuerMetadata.token_endpoint,
+          issuer: credentialIssuer
+        },
+        `Well known authorization server metadata for authorization server '${authorizationServer}' not found, and could also not extract required values from the credential issuer metadata as a fallback.`
+      );
+    }
+    if (!authorizationServerMetadata) {
+      throw new import_oauth215.Oauth2Error(
+        `Well known openid configuration or authorization server metadata for authorization server '${authorizationServer}' not found.`
+      );
+    }
+    authoriationServersMetadata.push(authorizationServerMetadata);
+  }
+  return {
+    originalDraftVersion,
+    credentialIssuer: credentialIssuerMetadata,
+    authorizationServers: authoriationServersMetadata
+  };
+}
+
+// src/nonce/nonce-request.ts
+var import_oauth216 = require("@openid4vc/oauth2");
+var import_utils14 = require("@openid4vc/utils");
+
+// src/nonce/z-nonce.ts
+var import_utils13 = require("@openid4vc/utils");
+var import_zod18 = __toESM(require("zod"));
+var zNonceResponse = import_zod18.default.object({
+  c_nonce: import_zod18.default.string(),
+  c_nonce_expires_in: import_zod18.default.optional(import_utils13.zInteger)
+}).passthrough();
+
+// src/nonce/nonce-request.ts
+async function requestNonce(options) {
+  const fetchWithZod = (0, import_utils14.createZodFetcher)(options?.fetch);
+  const nonceEndpoint = options.issuerMetadata.credentialIssuer.nonce_endpoint;
+  if (!nonceEndpoint) {
+    throw new Openid4vciError(
+      `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' does not have a nonce endpoint.`
+    );
+  }
+  const { response, result } = await fetchWithZod(zNonceResponse, import_utils14.ContentType.Json, nonceEndpoint, {
+    method: "POST"
+  });
+  if (!response.ok || !result) {
+    throw new import_oauth216.InvalidFetchResponseError(
+      `Requesting nonce from '${nonceEndpoint}' resulted in an unsuccesfull response with status '${response.status}'`,
+      await response.clone().text(),
+      response
+    );
+  }
+  if (!result.success) {
+    throw new import_utils14.ValidationError("Error parsing nonce response", result.error);
+  }
+  return result.data;
+}
+function createNonceResponse(options) {
+  return (0, import_utils14.parseWithErrorHandling)(zNonceResponse, {
+    c_nonce: options.cNonce,
+    c_nonce_expires_in: options.cNonceExpiresIn,
+    ...options.additionalPayload
+  });
+}
+
+// src/notification/notification.ts
+var import_oauth217 = require("@openid4vc/oauth2");
+var import_utils15 = require("@openid4vc/utils");
+
+// src/notification/z-notification.ts
+var import_zod19 = __toESM(require("zod"));
+var zNotificationEvent = import_zod19.default.enum(["credential_accepted", "credential_failure", "credential_deleted"]);
+var zNotificationRequest = import_zod19.default.object({
+  notification_id: import_zod19.default.string(),
+  event: zNotificationEvent,
+  event_description: import_zod19.default.optional(import_zod19.default.string())
+}).passthrough();
+var zNotificationErrorResponse = import_zod19.default.object({
+  error: import_zod19.default.enum(["invalid_notification_id", "invalid_notification_request"])
+}).passthrough();
+
+// src/notification/notification.ts
+async function sendNotifcation(options) {
+  const notificationEndpoint = options.issuerMetadata.credentialIssuer.notification_endpoint;
+  if (!notificationEndpoint) {
+    throw new import_oauth217.Oauth2Error(
+      `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' does not have a notification endpiont configured.`
+    );
+  }
+  const notificationRequest = (0, import_utils15.parseWithErrorHandling)(
+    zNotificationRequest,
+    {
+      event: options.notification.event,
+      notification_id: options.notification.notificationId,
+      event_description: options.notification.eventDescription
+    },
+    "Error validating notification request"
+  );
+  const resourceResponse = await (0, import_oauth217.resourceRequest)({
+    dpop: options.dpop,
+    accessToken: options.accessToken,
+    callbacks: options.callbacks,
+    url: notificationEndpoint,
+    requestOptions: {
+      method: "POST",
+      headers: {
+        "Content-Type": import_utils15.ContentType.Json
+      },
+      body: JSON.stringify(notificationRequest)
+    }
+  });
+  if (!resourceResponse.ok) {
+    const notificationErrorResponseResult = (0, import_utils15.isResponseContentType)(import_utils15.ContentType.Json, resourceResponse.response) ? zNotificationErrorResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
+    return {
+      ...resourceResponse,
+      notificationErrorResponseResult
+    };
+  }
+  return resourceResponse;
+}
+
+// src/Openid4vciClient.ts
+var AuthorizationFlow = /* @__PURE__ */ ((AuthorizationFlow2) => {
+  AuthorizationFlow2["Oauth2Redirect"] = "Oauth2Redirect";
+  AuthorizationFlow2["PresentationDuringIssuance"] = "PresentationDuringIssuance";
+  return AuthorizationFlow2;
+})(AuthorizationFlow || {});
+var Openid4vciClient = class {
+  constructor(options) {
+    this.options = options;
+    this.oauth2Client = new import_oauth218.Oauth2Client({
+      callbacks: this.options.callbacks
+    });
+  }
+  getKnownCredentialConfigurationsSupported(credentialIssuerMetadata) {
+    return extractKnownCredentialConfigurationSupportedFormats(
+      credentialIssuerMetadata.credential_configurations_supported
+    );
+  }
+  /**
+   * Resolve a credential offer into a credential offer object, handling both
+   * 'credential_offer' and 'credential_offer_uri' params.
+   */
+  async resolveCredentialOffer(credentialOffer) {
+    return resolveCredentialOffer(credentialOffer, {
+      fetch: this.options.callbacks.fetch
+    });
+  }
+  async resolveIssuerMetadata(credentialIssuer) {
+    return resolveIssuerMetadata(credentialIssuer, {
+      fetch: this.options.callbacks.fetch
+    });
+  }
+  /**
+   * Retrieve an authorization code for a presentation during issuance session
+   *
+   * This can only be called if an authorization challenge was performed before and returned a
+   * `presentation` paramater along with an `auth_session`. If the presentation response included
+   * an `presentation_during_issuance_session` parameter it MUST be included in this request as well.
+   */
+  async retrieveAuthorizationCodeUsingPresentation(options) {
+    if (!options.credentialOffer.grants?.[import_oauth218.authorizationCodeGrantIdentifier]) {
+      throw new import_oauth218.Oauth2Error(`Provided credential offer does not include the 'authorization_code' grant.`);
+    }
+    const authorizationCodeGrant = options.credentialOffer.grants[import_oauth218.authorizationCodeGrantIdentifier];
+    const authorizationServer = determineAuthorizationServerForCredentialOffer({
+      issuerMetadata: options.issuerMetadata,
+      grantAuthorizationServer: authorizationCodeGrant.authorization_server
+    });
+    const authorizationServerMetadata = (0, import_oauth218.getAuthorizationServerMetadataFromList)(
+      options.issuerMetadata.authorizationServers,
+      authorizationServer
+    );
+    const oauth2Client = new import_oauth218.Oauth2Client({ callbacks: this.options.callbacks });
+    const { authorizationChallengeResponse, dpop } = await oauth2Client.sendAuthorizationChallengeRequest({
+      authorizationServerMetadata,
+      authSession: options.authSession,
+      presentationDuringIssuanceSession: options.presentationDuringIssuanceSession,
+      dpop: options.dpop
+    });
+    return { authorizationChallengeResponse, dpop };
+  }
+  /**
+   * Initiates authorization for credential issuance. It handles the following cases:
+   * - Authorization Challenge
+   * - Pushed Authorization Request
+   * - Regular Authorization url
+   *
+   * In case the authorization challenge request returns an error with `insufficient_authorization`
+   * with a `presentation` field it means the authorization server expects presentation of credentials
+   * before issuance of crednetials. If this is the case, the value in `presentation` should be treated
+   * as an openid4vp authorization request and submitted to the verifier. Once the presentation response
+   * has been submitted, the RP will respnosd with a `presentation_during_issuance_session` parameter.
+   * Together with the `auth_session` parameter returned in this call you can retrieve an `authorization_code`
+   * using
+   */
+  async initiateAuthorization(options) {
+    if (!options.credentialOffer.grants?.[import_oauth218.authorizationCodeGrantIdentifier]) {
+      throw new import_oauth218.Oauth2Error(`Provided credential offer does not include the 'authorization_code' grant.`);
+    }
+    const authorizationCodeGrant = options.credentialOffer.grants[import_oauth218.authorizationCodeGrantIdentifier];
+    const authorizationServer = determineAuthorizationServerForCredentialOffer({
+      issuerMetadata: options.issuerMetadata,
+      grantAuthorizationServer: authorizationCodeGrant.authorization_server
+    });
+    const authorizationServerMetadata = (0, import_oauth218.getAuthorizationServerMetadataFromList)(
+      options.issuerMetadata.authorizationServers,
+      authorizationServer
+    );
+    const oauth2Client = new import_oauth218.Oauth2Client({ callbacks: this.options.callbacks });
+    try {
+      const result = await oauth2Client.initiateAuthorization({
+        clientId: options.clientId,
+        pkceCodeVerifier: options.pkceCodeVerifier,
+        redirectUri: options.redirectUri,
+        scope: options.scope,
+        additionalRequestPayload: {
+          ...options.additionalRequestPayload,
+          issuer_state: options.credentialOffer?.grants?.authorization_code?.issuer_state
+        },
+        dpop: options.dpop,
+        clientAttestation: options.clientAttestation,
+        resource: options.issuerMetadata.credentialIssuer.credential_issuer,
+        authorizationServerMetadata
+      });
+      return {
+        ...result,
+        authorizationFlow: "Oauth2Redirect" /* Oauth2Redirect */,
+        authorizationServer: authorizationServerMetadata.issuer
+      };
+    } catch (error) {
+      if (error instanceof import_oauth218.Oauth2ClientAuthorizationChallengeError && error.errorResponse.error === import_oauth218.Oauth2ErrorCodes.InsufficientAuthorization && error.errorResponse.presentation) {
+        if (!error.errorResponse.auth_session) {
+          throw new Openid4vciError(
+            `Expected 'auth_session' to be defined with authorization challenge response error '${error.errorResponse.error}' and 'presentation' parameter`
+          );
+        }
+        return {
+          authorizationFlow: "PresentationDuringIssuance" /* PresentationDuringIssuance */,
+          openid4vpRequestUrl: error.errorResponse.presentation,
+          authSession: error.errorResponse.auth_session,
+          authorizationServer: authorizationServerMetadata.issuer
+        };
+      }
+      throw error;
+    }
+  }
+  /**
+   * Convenience method around {@link Oauth2Client.createAuthorizationRequestUrl}
+   * but specifically focused on a credential offer
+   */
+  async createAuthorizationRequestUrlFromOffer(options) {
+    if (!options.credentialOffer.grants?.[import_oauth218.authorizationCodeGrantIdentifier]) {
+      throw new import_oauth218.Oauth2Error(`Provided credential offer does not include the 'authorization_code' grant.`);
+    }
+    const authorizationCodeGrant = options.credentialOffer.grants[import_oauth218.authorizationCodeGrantIdentifier];
+    const authorizationServer = determineAuthorizationServerForCredentialOffer({
+      issuerMetadata: options.issuerMetadata,
+      grantAuthorizationServer: authorizationCodeGrant.authorization_server
+    });
+    const authorizationServerMetadata = (0, import_oauth218.getAuthorizationServerMetadataFromList)(
+      options.issuerMetadata.authorizationServers,
+      authorizationServer
+    );
+    const { authorizationRequestUrl, pkce, dpop } = await this.oauth2Client.createAuthorizationRequestUrl({
+      authorizationServerMetadata,
+      clientId: options.clientId,
+      additionalRequestPayload: {
+        ...options.additionalRequestPayload,
+        issuer_state: options.credentialOffer?.grants?.authorization_code?.issuer_state
+      },
+      resource: options.issuerMetadata.credentialIssuer.credential_issuer,
+      redirectUri: options.redirectUri,
+      scope: options.scope,
+      pkceCodeVerifier: options.pkceCodeVerifier,
+      clientAttestation: options.clientAttestation,
+      dpop: options.dpop
+    });
+    return {
+      authorizationRequestUrl,
+      pkce,
+      dpop,
+      authorizationServer: authorizationServerMetadata.issuer
+    };
+  }
+  /**
+   * Convenience method around {@link Oauth2Client.retrievePreAuthorizedCodeAccessToken}
+   * but specifically focused on a credential offer
+   */
+  async retrievePreAuthorizedCodeAccessTokenFromOffer({
+    credentialOffer,
+    issuerMetadata,
+    additionalRequestPayload,
+    txCode,
+    dpop,
+    clientAttestation
+  }) {
+    if (!credentialOffer.grants?.[import_oauth218.preAuthorizedCodeGrantIdentifier]) {
+      throw new import_oauth218.Oauth2Error(`The credential offer does not contain the '${import_oauth218.preAuthorizedCodeGrantIdentifier}' grant.`);
+    }
+    if (credentialOffer.grants[import_oauth218.preAuthorizedCodeGrantIdentifier].tx_code && !txCode) {
+      throw new import_oauth218.Oauth2Error(
+        `Retrieving access token requires a 'tx_code' in the request, but the 'txCode' parameter was not provided.`
+      );
+    }
+    const preAuthorizedCode = credentialOffer.grants[import_oauth218.preAuthorizedCodeGrantIdentifier]["pre-authorized_code"];
+    const authorizationServer = determineAuthorizationServerForCredentialOffer({
+      grantAuthorizationServer: credentialOffer.grants[import_oauth218.preAuthorizedCodeGrantIdentifier].authorization_server,
+      issuerMetadata
+    });
+    const authorizationServerMetadata = (0, import_oauth218.getAuthorizationServerMetadataFromList)(
+      issuerMetadata.authorizationServers,
+      authorizationServer
+    );
+    const result = await this.oauth2Client.retrievePreAuthorizedCodeAccessToken({
+      authorizationServerMetadata,
+      preAuthorizedCode,
+      txCode,
+      resource: issuerMetadata.credentialIssuer.credential_issuer,
+      additionalRequestPayload,
+      dpop,
+      clientAttestation
+    });
+    return {
+      ...result,
+      authorizationServer
+    };
+  }
+  /**
+   * Convenience method around {@link Oauth2Client.retrieveAuthorizationCodeAccessTokenFrom}
+   * but specifically focused on a credential offer
+   */
+  async retrieveAuthorizationCodeAccessTokenFromOffer({
+    issuerMetadata,
+    additionalRequestPayload,
+    credentialOffer,
+    authorizationCode,
+    pkceCodeVerifier,
+    redirectUri,
+    dpop,
+    clientAttestation
+  }) {
+    if (!credentialOffer.grants?.[import_oauth218.authorizationCodeGrantIdentifier]) {
+      throw new import_oauth218.Oauth2Error(`The credential offer does not contain the '${import_oauth218.authorizationCodeGrantIdentifier}' grant.`);
+    }
+    const authorizationServer = determineAuthorizationServerForCredentialOffer({
+      grantAuthorizationServer: credentialOffer.grants[import_oauth218.authorizationCodeGrantIdentifier].authorization_server,
+      issuerMetadata
+    });
+    const authorizationServerMetadata = (0, import_oauth218.getAuthorizationServerMetadataFromList)(
+      issuerMetadata.authorizationServers,
+      authorizationServer
+    );
+    const result = await this.oauth2Client.retrieveAuthorizationCodeAccessToken({
+      authorizationServerMetadata,
+      authorizationCode,
+      pkceCodeVerifier,
+      additionalRequestPayload,
+      dpop,
+      clientAttestation,
+      redirectUri,
+      resource: issuerMetadata.credentialIssuer.credential_issuer
+    });
+    return {
+      ...result,
+      authorizationServer
+    };
+  }
+  /**
+   * Request a nonce to be used in credential request proofs from the `nonce_endpoint`
+   *
+   * @throws Openid4vciError - if no `nonce_endpoint` is configured in the issuer metadata
+   * @thrwos InvalidFetchResponseError - if the nonce endpoint did not return a succesfull response
+   * @throws ValidationError - if validating the nonce response failed
+   */
+  async requestNonce(options) {
+    return requestNonce(options);
+  }
+  /**
+   * Creates the jwt proof payload and header to be included in a credential request.
+   */
+  async createCredentialRequestJwtProof(options) {
+    const credentialConfiguration = options.issuerMetadata.credentialIssuer.credential_configurations_supported[options.credentialConfigurationId];
+    if (!credentialConfiguration) {
+      throw new Openid4vciError(
+        `Credential configuration with '${options.credentialConfigurationId}' not found in 'credential_configurations_supported' from credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
+      );
+    }
+    if (credentialConfiguration.proof_types_supported) {
+      if (!credentialConfiguration.proof_types_supported.jwt) {
+        throw new Openid4vciError(
+          `Credential configuration with id '${options.credentialConfigurationId}' does not support the 'jwt' proof type.`
+        );
+      }
+      if (!credentialConfiguration.proof_types_supported.jwt.proof_signing_alg_values_supported.includes(
+        options.signer.alg
+      )) {
+        throw new Openid4vciError(
+          `Credential configuration with id '${options.credentialConfigurationId}' does not support the '${options.signer.alg}' alg for 'jwt' proof type.`
+        );
+      }
+      if (credentialConfiguration.proof_types_supported.jwt.key_attestations_required && !options.keyAttestationJwt) {
+        throw new Openid4vciError(
+          `Credential configuration with id '${options.credentialConfigurationId}' requires key attestations for 'jwt' proof type but no 'keyAttestationJwt' was provided`
+        );
+      }
+    }
+    const jwt = await createCredentialRequestJwtProof({
+      credentialIssuer: options.issuerMetadata.credentialIssuer.credential_issuer,
+      signer: options.signer,
+      clientId: options.clientId,
+      issuedAt: options.issuedAt,
+      nonce: options.nonce,
+      keyAttestationJwt: options.keyAttestationJwt,
+      callbacks: this.options.callbacks
+    });
+    return {
+      jwt
+    };
+  }
+  /**
+   * @throws Openid4vciRetrieveCredentialsError - if an unsuccesfull response or the respnose couldn't be parsed as credential response
+   * @throws ValidationError - if validation of the credential request failed
+   * @throws Openid4vciError - if the `credentialConfigurationId` couldn't be found, or if the the format specific request couldn't be constructed
+   */
+  async retrieveCredentials({
+    issuerMetadata,
+    proof,
+    proofs,
+    credentialConfigurationId,
+    additionalRequestPayload,
+    accessToken,
+    dpop
+  }) {
+    const formatPayload = getCredentialRequestFormatPayloadForCredentialConfigurationId({
+      credentialConfigurationId,
+      issuerMetadata
+    });
+    const credentialResponse = await retrieveCredentialsWithFormat({
+      accessToken,
+      formatPayload,
+      issuerMetadata,
+      additionalRequestPayload,
+      proof,
+      proofs,
+      callbacks: this.options.callbacks,
+      dpop
+    });
+    if (!credentialResponse.ok) {
+      throw new Openid4vciRetrieveCredentialsError(
+        `Error retrieving credentials from '${issuerMetadata.credentialIssuer.credential_issuer}'`,
+        credentialResponse,
+        await credentialResponse.response.clone().text()
+      );
+    }
+    return credentialResponse;
+  }
+  /**
+   * @throws Openid4vciSendNotificationError - if an unsuccesfull response
+   * @throws ValidationError - if validation of the notification request failed
+   */
+  async sendNotification({
+    issuerMetadata,
+    notification,
+    additionalRequestPayload,
+    accessToken,
+    dpop
+  }) {
+    const notificationResponse = await sendNotifcation({
+      accessToken,
+      issuerMetadata,
+      additionalRequestPayload,
+      callbacks: this.options.callbacks,
+      dpop,
+      notification
+    });
+    if (!notificationResponse.ok) {
+      throw new Openid4vciSendNotificationError(
+        `Error sending notification to '${issuerMetadata.credentialIssuer.credential_issuer}'`,
+        notificationResponse
+      );
+    }
+    return notificationResponse;
+  }
+};
+
+// src/Openid4vciIssuer.ts
+var import_oauth219 = require("@openid4vc/oauth2");
+var import_utils18 = require("@openid4vc/utils");
+
+// src/credential-request/credential-response.ts
+var import_utils16 = require("@openid4vc/utils");
+function createCredentialResponse(options) {
+  const credentialResponse = (0, import_utils16.parseWithErrorHandling)(zCredentialResponse, {
+    c_nonce: options.cNonce,
+    c_nonce_expires_in: options.cNonceExpiresInSeconds,
+    credential: options.credential,
+    credentials: options.credentials,
+    notification_id: options.notificationId,
+    // NOTE `format` is removed in draft 13. For now if a format was requested
+    // we just always return it in the response as well.
+    format: options.credentialRequest.format?.format,
+    ...options.additionalPayload
+  });
+  return credentialResponse;
+}
+
+// src/credential-request/parse-credential-request.ts
+var import_utils17 = require("@openid4vc/utils");
+var import_zod20 = __toESM(require("zod"));
+function parseCredentialRequest(options) {
+  const credentialRequest = (0, import_utils17.parseWithErrorHandling)(
+    zCredentialRequest,
+    options.credentialRequest,
+    "Error validating credential request"
+  );
+  let proofs = void 0;
+  const knownProofs = zCredentialRequestProofs.strict().safeParse(credentialRequest.proofs);
+  if (knownProofs.success) {
+    proofs = knownProofs.data;
+  }
+  const knownProof = import_zod20.default.union(allCredentialRequestProofs).safeParse(credentialRequest.proof);
+  if (knownProof.success && knownProof.data.proof_type === jwtProofTypeIdentifier) {
+    proofs = { [jwtProofTypeIdentifier]: [knownProof.data.jwt] };
+  } else if (knownProof.success && knownProof.data.proof_type === attestationProofTypeIdentifier) {
+    proofs = { [attestationProofTypeIdentifier]: [knownProof.data.attestation] };
+  }
+  if (credentialRequest.credential_identifier) {
+    return {
+      credentialIdentifier: credentialRequest.credential_identifier,
+      credentialRequest,
+      proofs
+    };
+  }
+  if (credentialRequest.format && allCredentialRequestFormatIdentifiers.includes(credentialRequest.format)) {
+    return {
+      // Removes all claims that are not specific to this format
+      format: (0, import_utils17.parseWithErrorHandling)(
+        import_zod20.default.union(allCredentialRequestFormats),
+        credentialRequest,
+        "Unable to validate format specific properties from credential request"
+      ),
+      credentialRequest,
+      proofs
+    };
+  }
+  return {
+    credentialRequest,
+    proofs
+  };
+}
+
+// src/formats/proof-type/attestation/attestation-proof-type.ts
+async function verifyCredentialRequestAttestationProof(options) {
+  const verificationResult = await verifyKeyAttestationJwt({
+    ...options,
+    use: "proof_type.attestation"
+  });
+  return verificationResult;
+}
+
+// src/Openid4vciIssuer.ts
+var Openid4vciIssuer = class {
+  constructor(options) {
+    this.options = options;
+  }
+  getCredentialIssuerMetadataDraft11(credentialIssuerMetadata) {
+    return (0, import_utils18.parseWithErrorHandling)(zCredentialIssuerMetadataWithDraft11, credentialIssuerMetadata);
+  }
+  getKnownCredentialConfigurationsSupported(credentialIssuerMetadata) {
+    return extractKnownCredentialConfigurationSupportedFormats(
+      credentialIssuerMetadata.credential_configurations_supported
+    );
+  }
+  /**
+   * Create issuer metadata and validates the structure is correct
+   */
+  createCredentialIssuerMetadata(credentialIssuerMetadata) {
+    return (0, import_utils18.parseWithErrorHandling)(
+      zCredentialIssuerMetadata,
+      credentialIssuerMetadata,
+      "Error validating credential issuer metadata"
+    );
+  }
+  async createCredentialOffer(options) {
+    return createCredentialOffer({
+      callbacks: this.options.callbacks,
+      credentialConfigurationIds: options.credentialConfigurationIds,
+      grants: options.grants,
+      issuerMetadata: options.issuerMetadata,
+      additionalPayload: options.additionalPayload,
+      credentialOfferScheme: options.credentialOfferScheme,
+      credentialOfferUri: options.credentialOfferUri
+    });
+  }
+  /**
+   * @throws Oauth2ServerErrorResponseError - if verification of the jwt failed. You can extract
+   *  the credential error response from this.
+   */
+  async verifyCredentialRequestJwtProof(options) {
+    try {
+      return await verifyCredentialRequestJwtProof({
+        callbacks: this.options.callbacks,
+        credentialIssuer: options.issuerMetadata.credentialIssuer.credential_issuer,
+        expectedNonce: options.expectedNonce,
+        nonceExpiresAt: options.nonceExpiresAt,
+        jwt: options.jwt,
+        clientId: options.clientId,
+        now: options.now
+      });
+    } catch (error) {
+      throw new import_oauth219.Oauth2ServerErrorResponseError(
+        {
+          error: import_oauth219.Oauth2ErrorCodes.InvalidProof,
+          error_description: (
+            // TOOD: error should have a internalErrorMessage and a publicErrorMessage
+            error instanceof import_oauth219.Oauth2JwtVerificationError || error instanceof Openid4vciError ? error.message : "Invalid proof"
+          )
+        },
+        {
+          internalMessage: "Error verifying credential request proof jwt",
+          cause: error
+        }
+      );
+    }
+  }
+  /**
+   * @throws Oauth2ServerErrorResponseError - if verification of the key attestation failed. You can extract
+   *  the credential error response from this.
+   */
+  async verifyCredentialRequestAttestationProof(options) {
+    try {
+      return await verifyCredentialRequestAttestationProof({
+        callbacks: this.options.callbacks,
+        expectedNonce: options.expectedNonce,
+        keyAttestationJwt: options.keyAttestationJwt,
+        nonceExpiresAt: options.nonceExpiresAt,
+        now: options.now
+      });
+    } catch (error) {
+      throw new import_oauth219.Oauth2ServerErrorResponseError(
+        {
+          error: import_oauth219.Oauth2ErrorCodes.InvalidProof,
+          error_description: (
+            // TOOD: error should have a internalErrorMessage and a publicErrorMessage
+            error instanceof import_oauth219.Oauth2JwtVerificationError || error instanceof Openid4vciError ? error.message : "Invalid proof"
+          )
+        },
+        {
+          internalMessage: "Error verifying credential request proof attestation",
+          cause: error
+        }
+      );
+    }
+  }
+  /**
+   * @throws Oauth2ServerErrorResponseError - when validation of the credential request fails
+   *  You can extract the credential error response from this.
+   */
+  parseCredentialRequest(options) {
+    try {
+      return parseCredentialRequest(options);
+    } catch (error) {
+      throw new import_oauth219.Oauth2ServerErrorResponseError(
+        {
+          error: import_oauth219.Oauth2ErrorCodes.InvalidCredentialRequest,
+          error_description: (
+            // TODO: error should have a internalErrorMessage and a publicErrorMessage
+            error instanceof import_utils18.ValidationError ? error.message : "Invalid request"
+          )
+        },
+        {
+          internalMessage: "Error verifying credential request proof jwt",
+          cause: error
+        }
+      );
+    }
+  }
+  /**
+   * @throws ValidationError - when validation of the credential response fails
+   */
+  createCredentialResponse(options) {
+    return createCredentialResponse(options);
+  }
+  /**
+   * @throws ValidationError - when validation of the nonce response fails
+   */
+  createNonceResponse(options) {
+    return createNonceResponse(options);
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AuthorizationFlow,
+  Openid4vciClient,
+  Openid4vciDraftVersion,
+  Openid4vciError,
+  Openid4vciIssuer,
+  Openid4vciRetrieveCredentialsError,
+  Openid4vciSendNotificationError,
+  credentialsSupportedToCredentialConfigurationsSupported,
+  extractScopesForCredentialConfigurationIds,
+  getCredentialConfigurationsMatchingRequestFormat,
+  getGlobalConfig,
+  setGlobalConfig
+});
+//# sourceMappingURL=index.js.map