@openid4vc/openid4vci 0.3.0-alpha-20250224151429

package/dist/index.mjs

@@ -0,0 +1,2124 @@
+// src/index.ts
+import { getGlobalConfig as getGlobalConfig2, setGlobalConfig } from "@openid4vc/utils";
+
+// src/credential-request/credential-request-configurations.ts
+import { arrayEqualsIgnoreOrder } from "@openid4vc/utils";
+
+// src/metadata/credential-issuer/credential-issuer-metadata.ts
+import { Oauth2Error, fetchWellKnownMetadata } from "@openid4vc/oauth2";
+import { joinUriParts } from "@openid4vc/utils";
+
+// src/metadata/credential-issuer/z-credential-issuer-metadata.ts
+import { zCompactJwt } from "@openid4vc/oauth2";
+import { zHttpsUrl } from "@openid4vc/utils";
+import z9 from "zod";
+
+// src/formats/credential/mso-mdoc/z-mso-mdoc.ts
+import z3 from "zod";
+
+// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
+import z2 from "zod";
+
+// src/key-attestation/z-key-attestation.ts
+import { zJwk, zJwtHeader, zJwtPayload } from "@openid4vc/oauth2";
+import { zInteger } from "@openid4vc/utils";
+import z from "zod";
+var zKeyAttestationJwtHeader = z.object({
+  ...zJwtHeader.shape,
+  typ: z.literal("keyattestation+jwt")
+}).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
+  message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
+}).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
+  message: `When 'trust_chain' is provided, 'kid' is required`
+});
+var zIso18045 = z.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
+var zIso18045OrStringArray = z.array(z.union([zIso18045, z.string()]));
+var zKeyAttestationJwtPayload = z.object({
+  ...zJwtPayload.shape,
+  iat: zInteger,
+  attested_keys: z.array(zJwk),
+  key_storage: z.optional(zIso18045OrStringArray),
+  user_authentication: z.optional(zIso18045OrStringArray),
+  certification: z.optional(z.string())
+}).passthrough();
+var zKeyAttestationJwtPayloadForUse = (use) => z.object({
+  ...zKeyAttestationJwtPayload.shape,
+  // REQUIRED when used as proof_type.attesation directly
+  nonce: use === "proof_type.attestation" ? z.string({
+    message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly`
+  }) : z.optional(z.string()),
+  // REQUIRED when used within header of proof_type.jwt
+  exp: use === "proof_type.jwt" ? zInteger : z.optional(zInteger)
+}).passthrough();
+
+// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
+var zCredentialConfigurationSupportedClaims = z2.object({
+  mandatory: z2.boolean().optional(),
+  value_type: z2.string().optional(),
+  display: z2.object({
+    name: z2.string().optional(),
+    locale: z2.string().optional()
+  }).passthrough().optional()
+}).passthrough();
+var zCredentialConfigurationSupportedCommon = z2.object({
+  format: z2.string(),
+  scope: z2.string().optional(),
+  cryptographic_binding_methods_supported: z2.array(z2.string()).optional(),
+  credential_signing_alg_values_supported: z2.array(z2.string()).optional(),
+  proof_types_supported: z2.record(
+    z2.union([z2.literal("jwt"), z2.literal("attestation"), z2.string()]),
+    z2.object({
+      proof_signing_alg_values_supported: z2.array(z2.string()),
+      key_attestations_required: z2.object({
+        key_storage: zIso18045OrStringArray.optional(),
+        user_authentication: zIso18045OrStringArray.optional()
+      }).passthrough().optional()
+    })
+  ).optional(),
+  display: z2.array(
+    z2.object({
+      name: z2.string(),
+      locale: z2.string().optional(),
+      logo: z2.object({
+        // FIXME: make required again, but need to support draft 11 first
+        uri: z2.string().optional(),
+        alt_text: z2.string().optional()
+      }).passthrough().optional(),
+      description: z2.string().optional(),
+      background_color: z2.string().optional(),
+      background_image: z2.object({
+        // TODO: should be required, but paradym's metadata is wrong here.
+        uri: z2.string().optional()
+      }).passthrough().optional(),
+      text_color: z2.string().optional()
+    }).passthrough()
+  ).optional()
+}).passthrough();
+
+// src/formats/credential/mso-mdoc/z-mso-mdoc.ts
+var zMsoMdocFormatIdentifier = z3.literal("mso_mdoc");
+var zMsoMdocCredentialIssuerMetadata = z3.object({
+  format: zMsoMdocFormatIdentifier,
+  doctype: z3.string(),
+  claims: z3.optional(zCredentialConfigurationSupportedClaims),
+  order: z3.optional(z3.array(z3.string()))
+});
+var zMsoMdocCredentialRequestFormat = z3.object({
+  format: zMsoMdocFormatIdentifier,
+  doctype: z3.string(),
+  claims: z3.optional(zCredentialConfigurationSupportedClaims)
+});
+
+// src/formats/credential/sd-jwt-vc/z-sd-jwt-vc.ts
+import z4 from "zod";
+var zSdJwtVcFormatIdentifier = z4.literal("vc+sd-jwt");
+var zSdJwtVcCredentialIssuerMetadata = z4.object({
+  vct: z4.string(),
+  format: zSdJwtVcFormatIdentifier,
+  claims: z4.optional(zCredentialConfigurationSupportedClaims),
+  order: z4.optional(z4.array(z4.string()))
+});
+var zSdJwtVcCredentialRequestFormat = z4.object({
+  format: zSdJwtVcFormatIdentifier,
+  vct: z4.string(),
+  claims: z4.optional(zCredentialConfigurationSupportedClaims)
+});
+
+// src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
+import z6 from "zod";
+
+// src/formats/credential/w3c-vc/z-w3c-vc-common.ts
+import z5 from "zod";
+var zCredentialSubjectLeafType = z5.object({
+  mandatory: z5.boolean().optional(),
+  value_type: z5.string().optional(),
+  display: z5.array(
+    z5.object({
+      name: z5.string().optional(),
+      locale: z5.string().optional()
+    }).passthrough()
+  ).optional()
+}).passthrough();
+var zClaimValueSchema = z5.union([z5.array(z5.any()), z5.record(z5.string(), z5.any()), zCredentialSubjectLeafType]);
+var zW3cVcCredentialSubject = z5.record(z5.string(), zClaimValueSchema);
+var zW3cVcJsonLdCredentialDefinition = z5.object({
+  "@context": z5.array(z5.string()),
+  type: z5.array(z5.string()),
+  credentialSubject: zW3cVcCredentialSubject.optional()
+}).passthrough();
+
+// src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
+var zLdpVcFormatIdentifier = z6.literal("ldp_vc");
+var zLdpVcCredentialIssuerMetadata = z6.object({
+  format: zLdpVcFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinition,
+  order: z6.array(z6.string()).optional()
+});
+var zLdpVcCredentialIssuerMetadataDraft11 = z6.object({
+  order: z6.array(z6.string()).optional(),
+  format: zLdpVcFormatIdentifier,
+  // Credential definition was spread on top level instead of a separatey property in v11
+  // As well as using types instead of type
+  "@context": z6.array(z6.string()),
+  types: z6.array(z6.string()),
+  credentialSubject: zW3cVcCredentialSubject.optional()
+}).passthrough();
+var zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDraft11.transform(
+  ({ "@context": context, types, credentialSubject, ...rest }) => ({
+    ...rest,
+    credential_definition: {
+      "@context": context,
+      type: types,
+      // Prevent weird typing issue with optional vs undefined
+      ...credentialSubject ? { credentialSubject } : {}
+    }
+  })
+);
+var zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+  ...rest,
+  ...credentialDefinition,
+  types: type
+})).and(zLdpVcCredentialIssuerMetadataDraft11);
+var zLdpVcCredentialRequestFormat = z6.object({
+  format: zLdpVcFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinition
+});
+var zLdpVcCredentialRequestDraft11 = z6.object({
+  format: zLdpVcFormatIdentifier,
+  credential_definition: z6.object({
+    "@context": z6.array(z6.string()),
+    // credential_definition was using types instead of type in v11
+    types: z6.array(z6.string()),
+    credentialSubject: zW3cVcCredentialSubject.optional()
+  })
+}).passthrough();
+var zLdpVcCredentialRequestDraft11To14 = zLdpVcCredentialRequestDraft11.transform(
+  ({ credential_definition: { types, ...restCredentialDefinition }, ...rest }) => ({
+    ...rest,
+    credential_definition: {
+      ...restCredentialDefinition,
+      type: types
+    }
+  })
+);
+var zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
+  ...rest,
+  credential_definition: {
+    ...restCredentialDefinition,
+    types: type
+  }
+})).and(zLdpVcCredentialRequestDraft11);
+
+// src/formats/credential/w3c-vc/z-w3c-jwt-vc-json-ld.ts
+import z7 from "zod";
+var zJwtVcJsonLdFormatIdentifier = z7.literal("jwt_vc_json-ld");
+var zJwtVcJsonLdCredentialIssuerMetadata = z7.object({
+  format: zJwtVcJsonLdFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinition,
+  order: z7.optional(z7.array(z7.string()))
+});
+var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = z7.object({
+  order: z7.array(z7.string()).optional(),
+  format: zJwtVcJsonLdFormatIdentifier,
+  // Credential definition was spread on top level instead of a separatey property in v11
+  // As well as using types instead of type
+  "@context": z7.array(z7.string()),
+  types: z7.array(z7.string()),
+  credentialSubject: zW3cVcCredentialSubject.optional()
+}).passthrough();
+var zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssuerMetadataDraft11.transform(
+  ({ "@context": context, types, credentialSubject, ...rest }) => ({
+    ...rest,
+    credential_definition: {
+      "@context": context,
+      type: types,
+      // Prevent weird typing issue with optional vs undefined
+      ...credentialSubject ? { credentialSubject } : {}
+    }
+  })
+);
+var zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+  ...rest,
+  ...credentialDefinition,
+  types: type
+})).and(zJwtVcJsonLdCredentialIssuerMetadataDraft11);
+var zJwtVcJsonLdCredentialRequestFormat = z7.object({
+  format: zJwtVcJsonLdFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinition
+});
+var zJwtVcJsonLdCredentialRequestDraft11 = z7.object({
+  format: zJwtVcJsonLdFormatIdentifier,
+  credential_definition: z7.object({
+    "@context": z7.array(z7.string()),
+    // credential_definition was using types instead of type in v11
+    types: z7.array(z7.string()),
+    credentialSubject: z7.optional(zW3cVcCredentialSubject)
+  }).passthrough()
+}).passthrough();
+var zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraft11.transform(
+  ({ credential_definition: { types, ...restCredentialDefinition }, ...rest }) => ({
+    ...rest,
+    credential_definition: {
+      ...restCredentialDefinition,
+      type: types
+    }
+  })
+);
+var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
+  ...rest,
+  credential_definition: {
+    ...restCredentialDefinition,
+    types: type
+  }
+})).and(zJwtVcJsonLdCredentialRequestDraft11);
+
+// src/formats/credential/w3c-vc/z-w3c-jwt-vc-json.ts
+import z8 from "zod";
+var zJwtVcJsonFormatIdentifier = z8.literal("jwt_vc_json");
+var zJwtVcJsonCredentialDefinition = z8.object({
+  type: z8.array(z8.string()),
+  credentialSubject: zW3cVcCredentialSubject.optional()
+}).passthrough();
+var zJwtVcJsonCredentialIssuerMetadata = z8.object({
+  format: zJwtVcJsonFormatIdentifier,
+  credential_definition: zJwtVcJsonCredentialDefinition,
+  order: z8.array(z8.string()).optional()
+});
+var zJwtVcJsonCredentialIssuerMetadataDraft11 = z8.object({
+  format: zJwtVcJsonFormatIdentifier,
+  order: z8.array(z8.string()).optional(),
+  // Credential definition was spread on top level instead of a separatey property in v11
+  // As well as using types instead of type
+  types: z8.array(z8.string()),
+  credentialSubject: zW3cVcCredentialSubject.optional()
+}).passthrough();
+var zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMetadataDraft11.transform(
+  ({ types, credentialSubject, ...rest }) => ({
+    ...rest,
+    credential_definition: {
+      type: types,
+      // Prevent weird typing issue with optional vs undefined
+      ...credentialSubject ? { credentialSubject } : {}
+    }
+  })
+);
+var zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+  ...rest,
+  types: type,
+  ...credentialDefinition
+})).and(zJwtVcJsonCredentialIssuerMetadataDraft11);
+var zJwtVcJsonCredentialRequestFormat = z8.object({
+  format: zJwtVcJsonFormatIdentifier,
+  credential_definition: zJwtVcJsonCredentialDefinition
+});
+var zJwtVcJsonCredentialRequestDraft11 = z8.object({
+  format: zJwtVcJsonFormatIdentifier,
+  // Credential definition was spread on top level instead of a separatey property in v11
+  // As well as using types instead of type
+  types: z8.array(z8.string()),
+  credentialSubject: z8.optional(zW3cVcCredentialSubject)
+}).passthrough();
+var zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.transform(
+  ({ types, credentialSubject, ...rest }) => {
+    return {
+      ...rest,
+      credential_definition: {
+        type: types,
+        // Prevent weird typing issue with optional vs undefined
+        ...credentialSubject ? { credentialSubject } : {}
+      }
+    };
+  }
+);
+var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+  ...rest,
+  types: type,
+  ...credentialDefinition
+})).and(zJwtVcJsonCredentialRequestDraft11);
+
+// src/version.ts
+var Openid4vciDraftVersion = /* @__PURE__ */ ((Openid4vciDraftVersion2) => {
+  Openid4vciDraftVersion2["Draft14"] = "Draft14";
+  Openid4vciDraftVersion2["Draft11"] = "Draft11";
+  return Openid4vciDraftVersion2;
+})(Openid4vciDraftVersion || {});
+
+// src/metadata/credential-issuer/z-credential-issuer-metadata.ts
+var allCredentialIssuerMetadataFormats = [
+  zSdJwtVcCredentialIssuerMetadata,
+  zMsoMdocCredentialIssuerMetadata,
+  zJwtVcJsonLdCredentialIssuerMetadata,
+  zLdpVcCredentialIssuerMetadata,
+  zJwtVcJsonCredentialIssuerMetadata
+];
+var allCredentialIssuerMetadataFormatIdentifiers = allCredentialIssuerMetadataFormats.map(
+  (format) => format.shape.format.value
+);
+var zCredentialConfigurationSupportedWithFormats = zCredentialConfigurationSupportedCommon.transform(
+  (data, ctx) => {
+    if (!allCredentialIssuerMetadataFormatIdentifiers.includes(data.format)) return data;
+    const result = z9.object({}).passthrough().and(z9.discriminatedUnion("format", allCredentialIssuerMetadataFormats)).safeParse(data);
+    if (result.success) {
+      return result.data;
+    }
+    for (const issue of result.error.issues) {
+      ctx.addIssue(issue);
+    }
+    return z9.NEVER;
+  }
+);
+var zCredentialIssuerMetadataDisplayEntry = z9.object({
+  name: z9.string().optional(),
+  locale: z9.string().optional(),
+  logo: z9.object({
+    // FIXME: make required again, but need to support draft 11 first
+    uri: z9.string().optional(),
+    alt_text: z9.string().optional()
+  }).passthrough().optional()
+}).passthrough();
+var zCredentialIssuerMetadataDraft14 = z9.object({
+  credential_issuer: zHttpsUrl,
+  authorization_servers: z9.array(zHttpsUrl).optional(),
+  credential_endpoint: zHttpsUrl,
+  deferred_credential_endpoint: zHttpsUrl.optional(),
+  notification_endpoint: zHttpsUrl.optional(),
+  // Added after draft 14, but needed for proper
+  nonce_endpoint: zHttpsUrl.optional(),
+  credential_response_encryption: z9.object({
+    alg_values_supported: z9.array(z9.string()),
+    enc_values_supported: z9.array(z9.string()),
+    encryption_required: z9.boolean()
+  }).passthrough().optional(),
+  batch_credential_issuance: z9.object({
+    batch_size: z9.number().positive()
+  }).passthrough().optional(),
+  signed_metadata: zCompactJwt.optional(),
+  display: z9.array(zCredentialIssuerMetadataDisplayEntry).optional(),
+  credential_configurations_supported: z9.record(z9.string(), zCredentialConfigurationSupportedWithFormats)
+}).passthrough();
+var zCredentialConfigurationSupportedDraft11To14 = z9.object({
+  id: z9.string().optional(),
+  format: z9.string(),
+  cryptographic_suites_supported: z9.array(z9.string()).optional(),
+  display: z9.array(
+    z9.object({
+      logo: z9.object({
+        url: z9.string().url().optional()
+      }).passthrough().optional(),
+      background_image: z9.object({
+        url: z9.string().url().optional()
+      }).passthrough().optional()
+    }).passthrough()
+  ).optional()
+}).passthrough().transform(({ cryptographic_suites_supported, display, id, ...rest }) => ({
+  ...rest,
+  ...cryptographic_suites_supported ? { credential_signing_alg_values_supported: cryptographic_suites_supported } : {},
+  ...display ? {
+    display: display.map(({ logo, background_image, ...displayRest }) => ({
+      ...displayRest,
+      // url became uri and also required
+      // so if there's no url in the logo, we remove the whole logo object
+      ...logo?.url ? {
+        // TODO: we should add the other params from logo as well
+        logo: {
+          uri: logo.url
+        }
+      } : {},
+      // TODO: we should add the other params from background_image as well
+      // url became uri and also required
+      // so if there's no url in the background_image, we remove the whole logo object
+      ...background_image?.url ? {
+        background_image: {
+          uri: background_image.url
+        }
+      } : {}
+    }))
+  } : {}
+})).transform((data, ctx) => {
+  const formatSpecificTransformations = {
+    [zLdpVcFormatIdentifier.value]: zLdpVcCredentialIssuerMetadataDraft11To14,
+    [zJwtVcJsonFormatIdentifier.value]: zJwtVcJsonCredentialIssuerMetadataDraft11To14,
+    [zJwtVcJsonLdFormatIdentifier.value]: zJwtVcJsonLdCredentialIssuerMetadataDraft11To14
+  };
+  if (!Object.keys(formatSpecificTransformations).includes(data.format)) return data;
+  const schema = formatSpecificTransformations[data.format];
+  const result = schema.safeParse(data);
+  if (result.success) return result.data;
+  for (const issue of result.error.issues) {
+    ctx.addIssue(issue);
+  }
+  return z9.NEVER;
+}).pipe(zCredentialConfigurationSupportedWithFormats);
+var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSupportedWithFormats.and(
+  z9.object({
+    id: z9.string()
+  }).passthrough()
+).transform(({ id, credential_signing_alg_values_supported, display, proof_types_supported, scope, ...rest }) => ({
+  ...rest,
+  ...credential_signing_alg_values_supported ? { cryptographic_suites_supported: credential_signing_alg_values_supported } : {},
+  ...display ? {
+    display: display.map(({ logo, background_image, ...displayRest }) => {
+      const { uri: logoUri, ...logoRest } = logo ?? {};
+      const { uri: backgroundImageUri, ...backgroundImageRest } = background_image ?? {};
+      return {
+        ...displayRest,
+        // draft 11 uses url, draft 13/14 uses uri
+        ...logoUri ? { logo: { url: logoUri, ...logoRest } } : {},
+        // draft 11 uses url, draft 13/14 uses uri
+        ...backgroundImageUri ? { logo: { url: backgroundImageUri, ...backgroundImageRest } } : {}
+      };
+    })
+  } : {},
+  id
+})).pipe(
+  z9.union([
+    zLdpVcCredentialIssuerMetadataDraft14To11,
+    zJwtVcJsonCredentialIssuerMetadataDraft14To11,
+    zJwtVcJsonLdCredentialIssuerMetadataDraft14To11,
+    // To handle unrecognized formats and not error immediately we allow the common format as well
+    // but they can't use any of the foramt identifiers that have a specific transformation. This way if a format is
+    // has a transformation it NEEDS to use the format specific transformation, and otherwise we fall back to the common validation
+    z9.object({
+      format: z9.string().refine(
+        (input) => ![
+          zLdpVcFormatIdentifier.value,
+          zJwtVcJsonFormatIdentifier.value,
+          zJwtVcJsonLdFormatIdentifier.value
+        ].includes(input)
+      )
+    }).passthrough()
+  ])
+);
+var zCredentialIssuerMetadataDraft11To14 = z9.object({
+  authorization_server: z9.string().optional(),
+  credentials_supported: z9.array(
+    z9.object({
+      id: z9.string().optional()
+    }).passthrough()
+  )
+}).passthrough().transform(({ authorization_server, credentials_supported, ...rest }) => {
+  return {
+    ...rest,
+    ...authorization_server ? { authorization_servers: [authorization_server] } : {},
+    // Go from array to map but keep v11 structure
+    credential_configurations_supported: Object.fromEntries(
+      credentials_supported.map((supported) => supported.id ? [supported.id, supported] : void 0).filter((i) => i !== void 0)
+    )
+  };
+}).pipe(
+  z9.object({
+    // Update from v11 structrue to v14 structure
+    credential_configurations_supported: z9.record(z9.string(), zCredentialConfigurationSupportedDraft11To14)
+  }).passthrough()
+).pipe(zCredentialIssuerMetadataDraft14);
+var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14.transform((issuerMetadata) => ({
+  ...issuerMetadata,
+  ...issuerMetadata.authorization_servers ? { authorization_server: issuerMetadata.authorization_servers[0] } : {},
+  credentials_supported: Object.entries(issuerMetadata.credential_configurations_supported).map(([id, value]) => ({
+    ...value,
+    id
+  }))
+})).pipe(
+  zCredentialIssuerMetadataDraft14.extend({
+    credentials_supported: z9.array(zCredentialConfigurationSupportedDraft14To11)
+  })
+);
+var zCredentialIssuerMetadata = z9.union([
+  // First prioritize draft 14 (and 13)
+  zCredentialIssuerMetadataDraft14,
+  // Then try parsing draft 11 and transform into draft 14
+  zCredentialIssuerMetadataDraft11To14
+]);
+var zCredentialIssuerMetadataWithDraftVersion = z9.union([
+  // First prioritize draft 14 (and 13)
+  zCredentialIssuerMetadataDraft14.transform((credentialIssuerMetadata) => ({
+    credentialIssuerMetadata,
+    originalDraftVersion: "Draft14" /* Draft14 */
+  })),
+  // Then try parsing draft 11 and transform into draft 14
+  zCredentialIssuerMetadataDraft11To14.transform((credentialIssuerMetadata) => ({
+    credentialIssuerMetadata,
+    originalDraftVersion: "Draft11" /* Draft11 */
+  }))
+]);
+
+// src/metadata/credential-issuer/credential-issuer-metadata.ts
+var wellKnownCredentialIssuerSuffix = ".well-known/openid-credential-issuer";
+async function fetchCredentialIssuerMetadata(credentialIssuer, fetch) {
+  const wellKnownMetadataUrl = joinUriParts(credentialIssuer, [wellKnownCredentialIssuerSuffix]);
+  const result = await fetchWellKnownMetadata(wellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
+  if (result && result.credentialIssuerMetadata.credential_issuer !== credentialIssuer) {
+    throw new Oauth2Error(
+      `The 'credential_issuer' parameter '${result.credentialIssuerMetadata.credential_issuer}' in the well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`
+    );
+  }
+  return result;
+}
+function extractKnownCredentialConfigurationSupportedFormats(credentialConfigurationsSupported) {
+  return Object.fromEntries(
+    Object.entries(credentialConfigurationsSupported).filter(
+      (entry) => allCredentialIssuerMetadataFormatIdentifiers.includes(entry[1].format)
+    )
+  );
+}
+
+// src/credential-request/credential-request-configurations.ts
+function getCredentialConfigurationsMatchingRequestFormat({
+  requestFormat,
+  credentialConfigurations
+}) {
+  const knownCredentialConfigurations = extractKnownCredentialConfigurationSupportedFormats(credentialConfigurations);
+  return Object.fromEntries(
+    Object.entries(knownCredentialConfigurations).filter(([, credentialConfiguration]) => {
+      if (credentialConfiguration.format !== requestFormat.format) return false;
+      const r = requestFormat;
+      const c = credentialConfiguration;
+      if ((c.format === "ldp_vc" || c.format === "jwt_vc_json-ld") && r.format === c.format) {
+        return arrayEqualsIgnoreOrder(r.credential_definition.type, c.credential_definition.type) && arrayEqualsIgnoreOrder(r.credential_definition["@context"], c.credential_definition["@context"]);
+      }
+      if (c.format === "jwt_vc_json" && r.format === c.format) {
+        return arrayEqualsIgnoreOrder(r.credential_definition.type, c.credential_definition.type);
+      }
+      if (c.format === "vc+sd-jwt" && r.format === c.format) {
+        return r.vct === c.vct;
+      }
+      if (c.format === "mso_mdoc" && r.format === c.format) {
+        return r.doctype === c.doctype;
+      }
+      return false;
+    })
+  );
+}
+
+// src/error/Openid4vciError.ts
+var Openid4vciError = class extends Error {
+  constructor(message, options) {
+    const errorMessage = message ?? "Unknown error occured.";
+    const causeMessage = options?.cause instanceof Error ? ` ${options.cause.message}` : options?.cause ? ` ${options?.cause}` : "";
+    super(`${errorMessage}${causeMessage}`);
+    this.cause = options?.cause;
+  }
+};
+
+// src/error/Openid4vciRetrieveCredentialsError.ts
+var Openid4vciRetrieveCredentialsError = class extends Openid4vciError {
+  constructor(message, response, responseText) {
+    super(
+      `${message}
+${JSON.stringify(response.credentialResponseResult?.data ?? response.credentialErrorResponseResult?.data ?? responseText, null, 2)}`
+    );
+    this.response = response;
+  }
+};
+
+// src/error/Openid4vciSendNotificationError.ts
+var Openid4vciSendNotificationError = class extends Openid4vciError {
+  constructor(message, response) {
+    super(message);
+    this.response = response;
+  }
+};
+
+// src/metadata/credential-issuer/credential-configurations.ts
+import { Oauth2Error as Oauth2Error2 } from "@openid4vc/oauth2";
+import { ValidationError } from "@openid4vc/utils";
+function extractScopesForCredentialConfigurationIds(options) {
+  const scopes = /* @__PURE__ */ new Set();
+  for (const credentialConfigurationId of options.credentialConfigurationIds) {
+    const credentialConfiguration = options.issuerMetadata.credentialIssuer.credential_configurations_supported[credentialConfigurationId];
+    if (!credentialConfiguration) {
+      throw new Oauth2Error2(
+        `Credential configuration with id '${credentialConfigurationId}' not found in metadata from credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
+      );
+    }
+    const scope = credentialConfiguration.scope;
+    if (scope) scopes.add(scope);
+    else if (!scope && options.throwOnConfigurationWithoutScope) {
+      throw new Oauth2Error2(
+        `Credential configuration with id '${credentialConfigurationId}' does not have a 'scope' configured, and 'throwOnConfigurationWithoutScope' was enabled.`
+      );
+    }
+  }
+  return scopes.size > 0 ? Array.from(scopes) : void 0;
+}
+function credentialsSupportedToCredentialConfigurationsSupported(credentialsSupported) {
+  const credentialConfigurationsSupported = {};
+  for (let index = 0; index < credentialsSupported.length; index++) {
+    const credentialSupported = credentialsSupported[index];
+    if (!credentialSupported.id) {
+      throw new Openid4vciError(
+        `Credential supported at index '${index}' does not have an 'id' property. Credential configuration requires the 'id' property as key`
+      );
+    }
+    const parseResult = zCredentialConfigurationSupportedDraft11To14.safeParse(credentialSupported);
+    if (!parseResult.success) {
+      throw new ValidationError(
+        `Error transforming credential supported with id '${credentialSupported.id}' to credential configuration supported format`,
+        parseResult.error
+      );
+    }
+    credentialConfigurationsSupported[credentialSupported.id] = parseResult.data;
+  }
+  return credentialConfigurationsSupported;
+}
+
+// src/Openid4vciClient.ts
+import {
+  Oauth2Client,
+  Oauth2ClientAuthorizationChallengeError,
+  Oauth2Error as Oauth2Error7,
+  Oauth2ErrorCodes as Oauth2ErrorCodes2,
+  authorizationCodeGrantIdentifier as authorizationCodeGrantIdentifier2,
+  getAuthorizationServerMetadataFromList as getAuthorizationServerMetadataFromList2,
+  preAuthorizedCodeGrantIdentifier as preAuthorizedCodeGrantIdentifier3
+} from "@openid4vc/oauth2";
+
+// src/credential-offer/credential-offer.ts
+import {
+  InvalidFetchResponseError,
+  Oauth2Error as Oauth2Error3,
+  authorizationCodeGrantIdentifier,
+  getAuthorizationServerMetadataFromList,
+  preAuthorizedCodeGrantIdentifier as preAuthorizedCodeGrantIdentifier2
+} from "@openid4vc/oauth2";
+import {
+  ContentType,
+  URL,
+  URLSearchParams,
+  ValidationError as ValidationError2,
+  createZodFetcher,
+  encodeToBase64Url,
+  getQueryParams,
+  objectToQueryParams,
+  parseWithErrorHandling
+} from "@openid4vc/utils";
+
+// src/credential-offer/z-credential-offer.ts
+import {
+  preAuthorizedCodeGrantIdentifier
+} from "@openid4vc/oauth2";
+import z11 from "zod";
+
+// ../utils/src/validation.ts
+import z10 from "zod";
+
+// ../utils/src/config.ts
+var GLOBAL_CONFIG = {
+  allowInsecureUrls: false
+};
+function getGlobalConfig() {
+  return GLOBAL_CONFIG;
+}
+
+// ../utils/src/validation.ts
+var zHttpsUrl2 = z10.string().url().refine(
+  (url) => {
+    const { allowInsecureUrls } = getGlobalConfig();
+    return allowInsecureUrls ? url.startsWith("http://") || url.startsWith("https://") : url.startsWith("https://");
+  },
+  { message: "url must be an https:// url" }
+);
+var zInteger2 = z10.number().int();
+var zHttpMethod = z10.enum(["GET", "POST", "PUT", "DELETE", "HEAD", "OPTIONS", "TRACE", "CONNECT", "PATCH"]);
+
+// src/credential-offer/z-credential-offer.ts
+var zTxCode = z11.object({
+  input_mode: z11.union([z11.literal("numeric"), z11.literal("text")]).optional(),
+  length: z11.number().int().optional(),
+  description: z11.string().max(300).optional()
+}).passthrough();
+var zCredentialOfferGrants = z11.object({
+  authorization_code: z11.object({
+    issuer_state: z11.string().optional(),
+    authorization_server: zHttpsUrl2.optional()
+  }).passthrough().optional(),
+  [preAuthorizedCodeGrantIdentifier]: z11.object({
+    "pre-authorized_code": z11.string(),
+    tx_code: zTxCode.optional(),
+    authorization_server: zHttpsUrl2.optional()
+  }).passthrough().optional()
+}).passthrough();
+var zCredentialOfferObjectDraft14 = z11.object({
+  credential_issuer: zHttpsUrl2,
+  credential_configuration_ids: z11.array(z11.string()),
+  grants: z11.optional(zCredentialOfferGrants)
+}).passthrough();
+var zCredentialOfferObjectDraft11To14 = z11.object({
+  credential_issuer: zHttpsUrl2,
+  // We don't support the inline offer objects from draft 11
+  credentials: z11.array(
+    z11.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })
+  ),
+  grants: z11.optional(
+    z11.object({
+      // Has extra param in draft 14, but doesn't matter for transform purposes
+      authorization_code: zCredentialOfferGrants.shape.authorization_code,
+      [preAuthorizedCodeGrantIdentifier]: z11.object({
+        "pre-authorized_code": z11.string(),
+        user_pin_required: z11.optional(z11.boolean())
+      }).passthrough().optional()
+    })
+  )
+}).passthrough().transform(({ credentials, grants, ...rest }) => {
+  const v14 = {
+    ...rest,
+    credential_configuration_ids: credentials
+  };
+  if (grants) {
+    v14.grants = { ...grants };
+    if (grants[preAuthorizedCodeGrantIdentifier]) {
+      const { user_pin_required, ...restGrants } = grants[preAuthorizedCodeGrantIdentifier];
+      v14.grants[preAuthorizedCodeGrantIdentifier] = {
+        ...restGrants
+      };
+      if (user_pin_required) {
+        v14.grants[preAuthorizedCodeGrantIdentifier].tx_code = {
+          input_mode: "text"
+        };
+      }
+    }
+  }
+  return v14;
+}).pipe(zCredentialOfferObjectDraft14);
+var zCredentialOfferObject = z11.union([
+  // First prioritize draft 14 (and 13)
+  zCredentialOfferObjectDraft14,
+  // Then try parsing draft 11 and transform into draft 14
+  zCredentialOfferObjectDraft11To14
+]);
+
+// src/credential-offer/credential-offer.ts
+async function resolveCredentialOffer(credentialOffer, options) {
+  const parsedQueryParams = getQueryParams(credentialOffer);
+  let credentialOfferParseResult;
+  if (parsedQueryParams.credential_offer_uri) {
+    const fetchWithZod = createZodFetcher(options?.fetch);
+    const { response, result } = await fetchWithZod(
+      zCredentialOfferObject,
+      ContentType.Json,
+      parsedQueryParams.credential_offer_uri
+    );
+    if (!response.ok || !result) {
+      throw new InvalidFetchResponseError(
+        `Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccesfull response with status '${response.status}'`,
+        await response.clone().text(),
+        response
+      );
+    }
+    credentialOfferParseResult = result;
+  } else if (parsedQueryParams.credential_offer) {
+    let credentialOfferJson;
+    try {
+      credentialOfferJson = JSON.parse(decodeURIComponent(parsedQueryParams.credential_offer));
+    } catch (error) {
+      throw new Oauth2Error3(`Error parsing JSON from 'credential_offer' param in credential offer '${credentialOffer}'`);
+    }
+    credentialOfferParseResult = zCredentialOfferObject.safeParse(credentialOfferJson);
+  } else {
+    throw new Oauth2Error3(`Credential offer did not contain either 'credential_offer' or 'credential_offer_uri' param.`);
+  }
+  if (credentialOfferParseResult.error) {
+    throw new ValidationError2(
+      `Error parsing credential offer in draft 11, 13 or 14 format extracted from credential offer '${credentialOffer}'`,
+      credentialOfferParseResult.error
+    );
+  }
+  return credentialOfferParseResult.data;
+}
+function determineAuthorizationServerForCredentialOffer(options) {
+  const authorizationServers = options.issuerMetadata.credentialIssuer.authorization_servers;
+  let authorizationServer;
+  if (options.grantAuthorizationServer) {
+    authorizationServer = options.grantAuthorizationServer;
+    if (!authorizationServers) {
+      throw new Oauth2Error3(
+        `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not have an 'authorization_servers' property to match the value against.`
+      );
+    }
+    if (!authorizationServers.includes(authorizationServer)) {
+      throw new Oauth2Error3(
+        `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not include this authorization server. Available 'authorization_server' values are ${authorizationServers.join(", ")}.`
+      );
+    }
+  } else if (!authorizationServers) {
+    authorizationServer = options.issuerMetadata.credentialIssuer.credential_issuer;
+  } else {
+    if (authorizationServers.length === 0) {
+      throw new Oauth2Error3(`Credential issuer metadata has 'authorization_servers' value with length of 0`);
+    }
+    if (authorizationServers.length > 1) {
+      throw new Oauth2Error3(
+        `Credential issuer metadata has 'authorization_server' with multiple entries, but the credential offer grant did not specify which authorization server to use.`
+      );
+    }
+    authorizationServer = authorizationServers[0];
+  }
+  return authorizationServer;
+}
+async function createCredentialOffer(options) {
+  const {
+    [preAuthorizedCodeGrantIdentifier2]: preAuthorizedCodeGrant,
+    [authorizationCodeGrantIdentifier]: authorizationCodeGrant,
+    ...restGrants
+  } = options.grants;
+  const grants = { ...restGrants };
+  if (authorizationCodeGrant) {
+    determineAuthorizationServerForCredentialOffer({
+      issuerMetadata: options.issuerMetadata,
+      grantAuthorizationServer: authorizationCodeGrant.authorization_server
+    });
+    grants[authorizationCodeGrantIdentifier] = authorizationCodeGrant;
+  }
+  if (preAuthorizedCodeGrant) {
+    determineAuthorizationServerForCredentialOffer({
+      issuerMetadata: options.issuerMetadata,
+      grantAuthorizationServer: preAuthorizedCodeGrant.authorization_server
+    });
+    grants[preAuthorizedCodeGrantIdentifier2] = {
+      ...preAuthorizedCodeGrant,
+      "pre-authorized_code": preAuthorizedCodeGrant["pre-authorized_code"] ?? encodeToBase64Url(await options.callbacks.generateRandom(32))
+    };
+    const txCode = grants[preAuthorizedCodeGrantIdentifier2].tx_code;
+    if (txCode && options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
+      grants[preAuthorizedCodeGrantIdentifier2].user_pin_required = txCode !== void 0;
+    }
+  }
+  const idsNotInMetadata = options.credentialConfigurationIds.filter(
+    (id) => options.issuerMetadata.credentialIssuer.credential_configurations_supported[id] === void 0
+  );
+  if (idsNotInMetadata.length > 0) {
+    throw new Oauth2Error3(
+      `Credential configuration ids ${idsNotInMetadata} not found in the credential issuer metadata 'credential_configurations_supported'. Available ids are ${Object.keys(options.issuerMetadata.credentialIssuer.credential_configurations_supported).join(", ")}.`
+    );
+  }
+  const credentialOfferScheme = options.credentialOfferScheme ?? "openid-credential-offer://";
+  const credentialOfferObject = parseWithErrorHandling(zCredentialOfferObject, {
+    credential_issuer: options.issuerMetadata.credentialIssuer.credential_issuer,
+    credential_configuration_ids: options.credentialConfigurationIds,
+    grants,
+    ...options.additionalPayload
+  });
+  if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
+    credentialOfferObject.credentials = credentialOfferObject.credential_configuration_ids;
+  }
+  const url = new URL(credentialOfferScheme);
+  url.search = `?${new URLSearchParams([
+    ...url.searchParams.entries(),
+    ...objectToQueryParams({
+      credential_offer_uri: options.credentialOfferUri,
+      // Only add credential_offer is uri is undefined
+      credential_offer: options.credentialOfferUri ? void 0 : credentialOfferObject
+    }).entries()
+  ]).toString()}`;
+  return {
+    credentialOffer: url.toString(),
+    credentialOfferObject
+  };
+}
+
+// src/credential-request/format-payload.ts
+import { zIs } from "@openid4vc/utils";
+function getCredentialRequestFormatPayloadForCredentialConfigurationId(options) {
+  const credentialConfiguration = options.issuerMetadata.credentialIssuer.credential_configurations_supported[options.credentialConfigurationId];
+  if (!credentialConfiguration) {
+    throw new Openid4vciError(
+      `Could not find credential configuration with id '${options.credentialConfigurationId}' in metadata of credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'.`
+    );
+  }
+  if (zIs(zSdJwtVcCredentialIssuerMetadata, credentialConfiguration)) {
+    return {
+      format: credentialConfiguration.format,
+      vct: credentialConfiguration.vct
+    };
+  }
+  if (zIs(zMsoMdocCredentialIssuerMetadata, credentialConfiguration)) {
+    return {
+      format: credentialConfiguration.format,
+      doctype: credentialConfiguration.doctype
+    };
+  }
+  if (zIs(zLdpVcCredentialIssuerMetadata, credentialConfiguration)) {
+    return {
+      format: credentialConfiguration.format,
+      credential_definition: {
+        "@context": credentialConfiguration.credential_definition["@context"],
+        type: credentialConfiguration.credential_definition.type
+      }
+    };
+  }
+  if (zIs(zJwtVcJsonLdCredentialIssuerMetadata, credentialConfiguration)) {
+    return {
+      format: credentialConfiguration.format,
+      credential_definition: {
+        "@context": credentialConfiguration.credential_definition["@context"],
+        type: credentialConfiguration.credential_definition.type
+      }
+    };
+  }
+  if (zIs(zJwtVcJsonCredentialIssuerMetadata, credentialConfiguration)) {
+    return {
+      format: credentialConfiguration.format,
+      credential_definition: {
+        type: credentialConfiguration.credential_definition.type
+      }
+    };
+  }
+  throw new Openid4vciError(
+    `Unknown format '${credentialConfiguration.format}' in credential configuration with id '${options.credentialConfigurationId}' for credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
+  );
+}
+
+// src/credential-request/retrieve-credentials.ts
+import {
+  Oauth2Error as Oauth2Error4,
+  resourceRequest
+} from "@openid4vc/oauth2";
+import { ContentType as ContentType2, isResponseContentType, parseWithErrorHandling as parseWithErrorHandling2 } from "@openid4vc/utils";
+
+// src/credential-request/z-credential-request.ts
+import z15 from "zod";
+
+// src/credential-request/z-credential-request-common.ts
+import { zJwk as zJwk2 } from "@openid4vc/oauth2";
+import z14 from "zod";
+
+// src/formats/proof-type/jwt/z-jwt-proof-type.ts
+import { zCompactJwt as zCompactJwt2, zJwtHeader as zJwtHeader2, zJwtPayload as zJwtPayload2 } from "@openid4vc/oauth2";
+import { zHttpsUrl as zHttpsUrl3, zInteger as zInteger3 } from "@openid4vc/utils";
+import z12 from "zod";
+var zJwtProofTypeIdentifier = z12.literal("jwt");
+var jwtProofTypeIdentifier = zJwtProofTypeIdentifier.value;
+var zCredentialRequestProofJwt = z12.object({
+  proof_type: zJwtProofTypeIdentifier,
+  jwt: zCompactJwt2
+});
+var zCredentialRequestJwtProofTypeHeader = zJwtHeader2.merge(
+  z12.object({
+    key_attestation: z12.optional(zCompactJwt2),
+    typ: z12.literal("openid4vci-proof+jwt")
+  })
+).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
+  message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
+}).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
+  message: `When 'trust_chain' is provided, 'kid' is required`
+});
+var zCredentialRequestJwtProofTypePayload = z12.object({
+  ...zJwtPayload2.shape,
+  aud: zHttpsUrl3,
+  iat: zInteger3
+}).passthrough();
+
+// src/formats/proof-type/attestation/z-attestation-proof-type.ts
+import { zCompactJwt as zCompactJwt3 } from "@openid4vc/oauth2";
+import z13 from "zod";
+var zAttestationProofTypeIdentifier = z13.literal("attestation");
+var attestationProofTypeIdentifier = zAttestationProofTypeIdentifier.value;
+var zCredentialRequestProofAttestation = z13.object({
+  proof_type: zAttestationProofTypeIdentifier,
+  attestation: zCompactJwt3
+});
+var zCredentialRequestAttestationProofTypePayload = zKeyAttestationJwtPayloadForUse("proof_type.attestation");
+
+// src/credential-request/z-credential-request-common.ts
+var zCredentialRequestProofCommon = z14.object({
+  proof_type: z14.string()
+}).passthrough();
+var allCredentialRequestProofs = [zCredentialRequestProofJwt, zCredentialRequestProofAttestation];
+var zCredentialRequestProof = z14.union([
+  zCredentialRequestProofCommon,
+  z14.discriminatedUnion("proof_type", allCredentialRequestProofs)
+]);
+var zCredentialRequestProofsCommon = z14.record(z14.string(), z14.array(z14.unknown()));
+var zCredentialRequestProofs = z14.object({
+  [zJwtProofTypeIdentifier.value]: z14.optional(z14.array(zCredentialRequestProofJwt.shape.jwt)),
+  [zAttestationProofTypeIdentifier.value]: z14.optional(z14.array(zCredentialRequestProofAttestation.shape.attestation))
+});
+var zCredentialRequestCommon = z14.object({
+  proof: zCredentialRequestProof.optional(),
+  proofs: z14.optional(
+    z14.intersection(zCredentialRequestProofsCommon, zCredentialRequestProofs).refine((proofs) => Object.values(proofs).length === 1, {
+      message: `The 'proofs' object in a credential request should contain exactly one attribute`
+    })
+  ),
+  credential_response_encryption: z14.object({
+    jwk: zJwk2,
+    alg: z14.string(),
+    enc: z14.string()
+  }).passthrough().optional()
+}).passthrough().refine(({ proof, proofs }) => !(proof !== void 0 && proofs !== void 0), {
+  message: `Both 'proof' and 'proofs' are defined. Only one is allowed`
+});
+
+// src/credential-request/z-credential-request.ts
+var allCredentialRequestFormats = [
+  zSdJwtVcCredentialRequestFormat,
+  zMsoMdocCredentialRequestFormat,
+  zLdpVcCredentialRequestFormat,
+  zJwtVcJsonLdCredentialRequestFormat,
+  zJwtVcJsonCredentialRequestFormat
+];
+var allCredentialRequestFormatIdentifiers = allCredentialRequestFormats.map(
+  (format) => format.shape.format.value
+);
+var zAuthorizationDetailsCredentialRequest = z15.object({
+  credential_identifier: z15.string(),
+  // Cannot be present if credential identifier is present
+  format: z15.never({ message: "'format' cannot be defined when 'credential_identifier' is set." }).optional()
+});
+var zCredentialRequestFormatNoCredentialIdentifier = z15.object({
+  format: z15.string(),
+  credential_identifier: z15.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional()
+}).passthrough();
+var zCredenialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormatNoCredentialIdentifier).transform((data, ctx) => {
+  if (!allCredentialRequestFormatIdentifiers.includes(data.format)) return data;
+  const result = z15.object({}).passthrough().and(z15.discriminatedUnion("format", allCredentialRequestFormats)).safeParse(data);
+  if (result.success) {
+    return result.data;
+  }
+  for (const issue of result.error.issues) {
+    ctx.addIssue(issue);
+  }
+  return z15.NEVER;
+});
+var zCredentialRequestDraft14 = z15.union([
+  zCredenialRequestDraft14WithFormat,
+  zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest)
+]);
+var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequestFormatNoCredentialIdentifier).transform((data, ctx) => {
+  const formatSpecificTransformations = {
+    [zLdpVcFormatIdentifier.value]: zLdpVcCredentialRequestDraft11To14,
+    [zJwtVcJsonFormatIdentifier.value]: zJwtVcJsonCredentialRequestDraft11To14,
+    [zJwtVcJsonLdFormatIdentifier.value]: zJwtVcJsonLdCredentialRequestDraft11To14
+  };
+  if (!Object.keys(formatSpecificTransformations).includes(data.format)) return data;
+  const schema = formatSpecificTransformations[data.format];
+  const result = schema.safeParse(data);
+  if (result.success) return result.data;
+  for (const issue of result.error.issues) {
+    ctx.addIssue(issue);
+  }
+  return z15.NEVER;
+}).pipe(zCredentialRequestDraft14);
+var zCredentialRequestDraft14To11 = zCredentialRequestDraft14.refine(
+  (data) => data.credential_identifier === void 0,
+  `'credential_identifier' is not supported in OpenID4VCI draft 11`
+).transform((data, ctx) => {
+  const formatSpecificTransformations = {
+    [zLdpVcFormatIdentifier.value]: zLdpVcCredentialRequestDraft14To11,
+    [zJwtVcJsonFormatIdentifier.value]: zJwtVcJsonCredentialRequestDraft14To11,
+    [zJwtVcJsonLdFormatIdentifier.value]: zJwtVcJsonLdCredentialRequestDraft14To11
+  };
+  if (!Object.keys(formatSpecificTransformations).includes(data.format)) return data;
+  const schema = formatSpecificTransformations[data.format];
+  const result = schema.safeParse(data);
+  if (result.success) return result.data;
+  for (const issue of result.error.issues) {
+    ctx.addIssue(issue);
+  }
+  return z15.NEVER;
+});
+var zCredentialRequest = z15.union([zCredentialRequestDraft14, zCredentialRequestDraft11To14]);
+
+// src/credential-request/z-credential-response.ts
+import z17 from "zod";
+
+// ../oauth2/src/common/z-oauth2-error.ts
+import z16 from "zod";
+var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes4) => {
+  Oauth2ErrorCodes4["ServerError"] = "server_error";
+  Oauth2ErrorCodes4["InvalidTarget"] = "invalid_target";
+  Oauth2ErrorCodes4["InvalidRequest"] = "invalid_request";
+  Oauth2ErrorCodes4["InvalidToken"] = "invalid_token";
+  Oauth2ErrorCodes4["InsufficientScope"] = "insufficient_scope";
+  Oauth2ErrorCodes4["InvalidGrant"] = "invalid_grant";
+  Oauth2ErrorCodes4["InvalidClient"] = "invalid_client";
+  Oauth2ErrorCodes4["UnauthorizedClient"] = "unauthorized_client";
+  Oauth2ErrorCodes4["UnsupportedGrantType"] = "unsupported_grant_type";
+  Oauth2ErrorCodes4["InvalidScope"] = "invalid_scope";
+  Oauth2ErrorCodes4["InvalidDpopProof"] = "invalid_dpop_proof";
+  Oauth2ErrorCodes4["UseDpopNonce"] = "use_dpop_nonce";
+  Oauth2ErrorCodes4["RedirectToWeb"] = "redirect_to_web";
+  Oauth2ErrorCodes4["InvalidSession"] = "invalid_session";
+  Oauth2ErrorCodes4["InsufficientAuthorization"] = "insufficient_authorization";
+  Oauth2ErrorCodes4["InvalidCredentialRequest"] = "invalid_credential_request";
+  Oauth2ErrorCodes4["CredentialRequestDenied"] = "credential_request_denied";
+  Oauth2ErrorCodes4["UnsupportedCredentialType"] = "unsupported_credential_type";
+  Oauth2ErrorCodes4["UnsupportedCredentialFormat"] = "unsupported_credential_format";
+  Oauth2ErrorCodes4["InvalidProof"] = "invalid_proof";
+  Oauth2ErrorCodes4["InvalidNonce"] = "invalid_nonce";
+  Oauth2ErrorCodes4["InvalidEncryptionParameters"] = "invalid_encryption_parameters";
+  Oauth2ErrorCodes4["InvalidRequestUri"] = "invalid_request_uri";
+  Oauth2ErrorCodes4["InvalidRequestObject"] = "invalid_request_object";
+  Oauth2ErrorCodes4["RequestNotSupported"] = "request_not_supported";
+  Oauth2ErrorCodes4["RequestUriNotSupported"] = "request_uri_not_supported";
+  Oauth2ErrorCodes4["VpFormatsNotSupported"] = "vp_formats_not_supported";
+  Oauth2ErrorCodes4["AccessDenied"] = "access_denied";
+  Oauth2ErrorCodes4["InvalidPresentationDefinitionUri"] = "invalid_presentation_definition_uri";
+  Oauth2ErrorCodes4["InvalidPresentationDefinitionReference"] = "invalid_presentation_definition_reference";
+  Oauth2ErrorCodes4["InvalidRequestUriMethod"] = "invalid_request_uri_method";
+  Oauth2ErrorCodes4["InvalidTransactionData"] = "invalid_transaction_data";
+  Oauth2ErrorCodes4["WalletUnavailable"] = "wallet_unavailable";
+  return Oauth2ErrorCodes4;
+})(Oauth2ErrorCodes || {});
+var zOauth2ErrorResponse = z16.object({
+  error: z16.union([z16.nativeEnum(Oauth2ErrorCodes), z16.string()]),
+  error_description: z16.string().optional(),
+  error_uri: z16.string().optional()
+}).passthrough();
+
+// src/credential-request/z-credential-response.ts
+var zCredentialEncoding = z17.union([z17.string(), z17.record(z17.string(), z17.any())]);
+var zCredentialResponse = z17.object({
+  credential: z17.optional(zCredentialEncoding),
+  credentials: z17.optional(z17.array(zCredentialEncoding)),
+  transaction_id: z17.string().optional(),
+  c_nonce: z17.string().optional(),
+  c_nonce_expires_in: z17.number().int().optional(),
+  notification_id: z17.string().optional()
+}).passthrough().refine(
+  (value) => {
+    const { credential, credentials, transaction_id } = value;
+    return [credential, credentials, transaction_id].filter((i) => i !== void 0).length === 1;
+  },
+  {
+    message: `Exactly one of 'credential', 'credentials', or 'transaction_id' MUST be defined.`
+  }
+);
+var zCredentialErrorResponse = z17.object({
+  ...zOauth2ErrorResponse.shape,
+  c_nonce: z17.string().optional(),
+  c_nonce_expires_in: z17.number().int().optional()
+}).passthrough();
+
+// src/credential-request/retrieve-credentials.ts
+async function retrieveCredentialsWithFormat(options) {
+  const credentialRequest = {
+    ...options.formatPayload,
+    ...options.additionalRequestPayload,
+    proof: options.proof,
+    proofs: options.proofs
+  };
+  return retrieveCredentials({
+    callbacks: options.callbacks,
+    credentialRequest,
+    issuerMetadata: options.issuerMetadata,
+    accessToken: options.accessToken,
+    dpop: options.dpop
+  });
+}
+async function retrieveCredentials(options) {
+  const credentialEndpoint = options.issuerMetadata.credentialIssuer.credential_endpoint;
+  let credentialRequest = parseWithErrorHandling2(
+    zCredentialRequest,
+    options.credentialRequest,
+    "Error validating credential request"
+  );
+  if (credentialRequest.proofs) {
+    const { batch_credential_issuance } = options.issuerMetadata.credentialIssuer;
+    if (!batch_credential_issuance) {
+      throw new Oauth2Error4(
+        `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' does not support batch credential issuance using the 'proofs' request property. Only 'proof' is supported.`
+      );
+    }
+    const proofs = Object.values(credentialRequest.proofs)[0];
+    if (proofs.length > batch_credential_issuance.batch_size) {
+      throw new Oauth2Error4(
+        `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' supports batch issuance, but the max batch size is '${batch_credential_issuance.batch_size}'. A total of '${proofs.length}' proofs were provided.`
+      );
+    }
+  }
+  if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
+    credentialRequest = parseWithErrorHandling2(
+      zCredentialRequestDraft14To11,
+      credentialRequest,
+      `Error transforming credential request from ${"Draft14" /* Draft14 */} to ${"Draft11" /* Draft11 */}`
+    );
+  }
+  const resourceResponse = await resourceRequest({
+    dpop: options.dpop,
+    accessToken: options.accessToken,
+    callbacks: options.callbacks,
+    url: credentialEndpoint,
+    requestOptions: {
+      method: "POST",
+      headers: {
+        "Content-Type": ContentType2.Json
+      },
+      body: JSON.stringify(credentialRequest)
+    }
+  });
+  if (!resourceResponse.ok) {
+    const credentialErrorResponseResult = isResponseContentType(ContentType2.Json, resourceResponse.response) ? zCredentialErrorResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
+    return {
+      ...resourceResponse,
+      credentialErrorResponseResult
+    };
+  }
+  const credentialResponseResult = isResponseContentType(ContentType2.Json, resourceResponse.response) ? zCredentialResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
+  if (!credentialResponseResult?.success) {
+    return {
+      ...resourceResponse,
+      ok: false,
+      credentialResponseResult
+    };
+  }
+  return {
+    ...resourceResponse,
+    credentialResponse: credentialResponseResult.data
+  };
+}
+
+// src/formats/proof-type/jwt/jwt-proof-type.ts
+import { decodeJwt as decodeJwt2, isJwkInSet, jwtHeaderFromJwtSigner as jwtHeaderFromJwtSigner2 } from "@openid4vc/oauth2";
+import { jwtSignerFromJwt as jwtSignerFromJwt2, verifyJwt as verifyJwt2 } from "@openid4vc/oauth2";
+import { dateToSeconds as dateToSeconds2, parseWithErrorHandling as parseWithErrorHandling4 } from "@openid4vc/utils";
+
+// src/key-attestation/key-attestation.ts
+import { decodeJwt, jwtHeaderFromJwtSigner } from "@openid4vc/oauth2";
+import { jwtSignerFromJwt, verifyJwt } from "@openid4vc/oauth2";
+import { dateToSeconds, parseWithErrorHandling as parseWithErrorHandling3 } from "@openid4vc/utils";
+async function verifyKeyAttestationJwt(options) {
+  const { header, payload } = decodeJwt({
+    jwt: options.keyAttestationJwt,
+    headerSchema: zKeyAttestationJwtHeader,
+    payloadSchema: zKeyAttestationJwtPayloadForUse(options.use)
+  });
+  const now = options.now?.getTime() ?? Date.now();
+  if (options.nonceExpiresAt && now > options.nonceExpiresAt.getTime()) {
+    throw new Openid4vciError("Nonce used for key attestation jwt expired");
+  }
+  const { signer } = await verifyJwt({
+    compact: options.keyAttestationJwt,
+    header,
+    payload,
+    signer: jwtSignerFromJwt({ header, payload }),
+    verifyJwtCallback: options.callbacks.verifyJwt,
+    errorMessage: "Error verifiying key attestation jwt",
+    expectedNonce: options.expectedNonce,
+    now: options.now
+  });
+  return {
+    header,
+    payload,
+    signer
+  };
+}
+
+// src/formats/proof-type/jwt/jwt-proof-type.ts
+async function createCredentialRequestJwtProof(options) {
+  const header = parseWithErrorHandling4(zCredentialRequestJwtProofTypeHeader, {
+    ...jwtHeaderFromJwtSigner2(options.signer),
+    key_attestation: options.keyAttestationJwt,
+    typ: "openid4vci-proof+jwt"
+  });
+  const payload = parseWithErrorHandling4(zCredentialRequestJwtProofTypePayload, {
+    nonce: options.nonce,
+    aud: options.credentialIssuer,
+    iat: dateToSeconds2(options.issuedAt),
+    iss: options.clientId
+  });
+  const { jwt, signerJwk } = await options.callbacks.signJwt(options.signer, { header, payload });
+  if (options.keyAttestationJwt) {
+    const decodedKeyAttestation = decodeJwt2({
+      jwt: options.keyAttestationJwt,
+      headerSchema: zKeyAttestationJwtHeader,
+      payloadSchema: zKeyAttestationJwtPayload
+    });
+    const isSigedWithAttestedKey = await isJwkInSet({
+      jwk: signerJwk,
+      jwks: decodedKeyAttestation.payload.attested_keys,
+      callbacks: options.callbacks
+    });
+    if (!isSigedWithAttestedKey) {
+      throw new Openid4vciError(
+        `Credential request jwt proof is not signed with a key in the 'key_attestation' jwt payload 'attested_keys'`
+      );
+    }
+  }
+  return jwt;
+}
+async function verifyCredentialRequestJwtProof(options) {
+  const { header, payload } = decodeJwt2({
+    jwt: options.jwt,
+    headerSchema: zCredentialRequestJwtProofTypeHeader,
+    payloadSchema: zCredentialRequestJwtProofTypePayload
+  });
+  const now = options.now?.getTime() ?? Date.now();
+  if (options.nonceExpiresAt && now > options.nonceExpiresAt.getTime()) {
+    throw new Openid4vciError("Nonce used for credential request proof expired");
+  }
+  const { signer } = await verifyJwt2({
+    compact: options.jwt,
+    header,
+    payload,
+    signer: jwtSignerFromJwt2({ header, payload }),
+    verifyJwtCallback: options.callbacks.verifyJwt,
+    errorMessage: "Error verifiying credential request proof jwt",
+    expectedNonce: options.expectedNonce,
+    expectedAudience: options.credentialIssuer,
+    expectedIssuer: options.clientId,
+    now: options.now
+  });
+  let keyAttestationResult = void 0;
+  if (header.key_attestation) {
+    keyAttestationResult = await verifyKeyAttestationJwt({
+      callbacks: options.callbacks,
+      keyAttestationJwt: header.key_attestation,
+      use: "proof_type.jwt"
+    });
+    const isSigedWithAttestedKey = await isJwkInSet({
+      jwk: signer.publicJwk,
+      jwks: keyAttestationResult.payload.attested_keys,
+      callbacks: options.callbacks
+    });
+    if (!isSigedWithAttestedKey) {
+      throw new Openid4vciError(
+        `Credential request jwt proof is not signed with a key in the 'key_attestation' jwt payload 'attested_keys'`
+      );
+    }
+  }
+  return {
+    header,
+    payload,
+    signer,
+    keyAttestation: keyAttestationResult
+  };
+}
+
+// src/metadata/fetch-issuer-metadata.ts
+import {
+  Oauth2Error as Oauth2Error5,
+  fetchAuthorizationServerMetadata,
+  zAuthorizationServerMetadata
+} from "@openid4vc/oauth2";
+import { parseWithErrorHandling as parseWithErrorHandling5 } from "@openid4vc/utils";
+async function resolveIssuerMetadata(credentialIssuer, options) {
+  const allowAuthorizationMetadataFromCredentialIssuerMetadata = options?.allowAuthorizationMetadataFromCredentialIssuerMetadata ?? true;
+  const credentialIssuerMetadataWithDraftVersion = await fetchCredentialIssuerMetadata(credentialIssuer, options?.fetch);
+  if (!credentialIssuerMetadataWithDraftVersion) {
+    throw new Oauth2Error5(`Well known credential issuer metadata for issuer '${credentialIssuer}' not found.`);
+  }
+  const { credentialIssuerMetadata, originalDraftVersion } = credentialIssuerMetadataWithDraftVersion;
+  const authorizationServers = credentialIssuerMetadata.authorization_servers ?? [credentialIssuer];
+  const authoriationServersMetadata = [];
+  for (const authorizationServer of authorizationServers) {
+    if (options?.restrictToAuthorizationServers && !options.restrictToAuthorizationServers.includes(authorizationServer)) {
+      continue;
+    }
+    let authorizationServerMetadata = await fetchAuthorizationServerMetadata(authorizationServer, options?.fetch);
+    if (!authorizationServerMetadata && authorizationServer === credentialIssuer && allowAuthorizationMetadataFromCredentialIssuerMetadata) {
+      authorizationServerMetadata = parseWithErrorHandling5(
+        zAuthorizationServerMetadata,
+        {
+          token_endpoint: credentialIssuerMetadata.token_endpoint,
+          issuer: credentialIssuer
+        },
+        `Well known authorization server metadata for authorization server '${authorizationServer}' not found, and could also not extract required values from the credential issuer metadata as a fallback.`
+      );
+    }
+    if (!authorizationServerMetadata) {
+      throw new Oauth2Error5(
+        `Well known openid configuration or authorization server metadata for authorization server '${authorizationServer}' not found.`
+      );
+    }
+    authoriationServersMetadata.push(authorizationServerMetadata);
+  }
+  return {
+    originalDraftVersion,
+    credentialIssuer: credentialIssuerMetadata,
+    authorizationServers: authoriationServersMetadata
+  };
+}
+
+// src/nonce/nonce-request.ts
+import { InvalidFetchResponseError as InvalidFetchResponseError2 } from "@openid4vc/oauth2";
+import { ContentType as ContentType3, ValidationError as ValidationError3, createZodFetcher as createZodFetcher2, parseWithErrorHandling as parseWithErrorHandling6 } from "@openid4vc/utils";
+
+// src/nonce/z-nonce.ts
+import { zInteger as zInteger4 } from "@openid4vc/utils";
+import z18 from "zod";
+var zNonceResponse = z18.object({
+  c_nonce: z18.string(),
+  c_nonce_expires_in: z18.optional(zInteger4)
+}).passthrough();
+
+// src/nonce/nonce-request.ts
+async function requestNonce(options) {
+  const fetchWithZod = createZodFetcher2(options?.fetch);
+  const nonceEndpoint = options.issuerMetadata.credentialIssuer.nonce_endpoint;
+  if (!nonceEndpoint) {
+    throw new Openid4vciError(
+      `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' does not have a nonce endpoint.`
+    );
+  }
+  const { response, result } = await fetchWithZod(zNonceResponse, ContentType3.Json, nonceEndpoint, {
+    method: "POST"
+  });
+  if (!response.ok || !result) {
+    throw new InvalidFetchResponseError2(
+      `Requesting nonce from '${nonceEndpoint}' resulted in an unsuccesfull response with status '${response.status}'`,
+      await response.clone().text(),
+      response
+    );
+  }
+  if (!result.success) {
+    throw new ValidationError3("Error parsing nonce response", result.error);
+  }
+  return result.data;
+}
+function createNonceResponse(options) {
+  return parseWithErrorHandling6(zNonceResponse, {
+    c_nonce: options.cNonce,
+    c_nonce_expires_in: options.cNonceExpiresIn,
+    ...options.additionalPayload
+  });
+}
+
+// src/notification/notification.ts
+import {
+  Oauth2Error as Oauth2Error6,
+  resourceRequest as resourceRequest2
+} from "@openid4vc/oauth2";
+import { ContentType as ContentType4, isResponseContentType as isResponseContentType2, parseWithErrorHandling as parseWithErrorHandling7 } from "@openid4vc/utils";
+
+// src/notification/z-notification.ts
+import z19 from "zod";
+var zNotificationEvent = z19.enum(["credential_accepted", "credential_failure", "credential_deleted"]);
+var zNotificationRequest = z19.object({
+  notification_id: z19.string(),
+  event: zNotificationEvent,
+  event_description: z19.optional(z19.string())
+}).passthrough();
+var zNotificationErrorResponse = z19.object({
+  error: z19.enum(["invalid_notification_id", "invalid_notification_request"])
+}).passthrough();
+
+// src/notification/notification.ts
+async function sendNotifcation(options) {
+  const notificationEndpoint = options.issuerMetadata.credentialIssuer.notification_endpoint;
+  if (!notificationEndpoint) {
+    throw new Oauth2Error6(
+      `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' does not have a notification endpiont configured.`
+    );
+  }
+  const notificationRequest = parseWithErrorHandling7(
+    zNotificationRequest,
+    {
+      event: options.notification.event,
+      notification_id: options.notification.notificationId,
+      event_description: options.notification.eventDescription
+    },
+    "Error validating notification request"
+  );
+  const resourceResponse = await resourceRequest2({
+    dpop: options.dpop,
+    accessToken: options.accessToken,
+    callbacks: options.callbacks,
+    url: notificationEndpoint,
+    requestOptions: {
+      method: "POST",
+      headers: {
+        "Content-Type": ContentType4.Json
+      },
+      body: JSON.stringify(notificationRequest)
+    }
+  });
+  if (!resourceResponse.ok) {
+    const notificationErrorResponseResult = isResponseContentType2(ContentType4.Json, resourceResponse.response) ? zNotificationErrorResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
+    return {
+      ...resourceResponse,
+      notificationErrorResponseResult
+    };
+  }
+  return resourceResponse;
+}
+
+// src/Openid4vciClient.ts
+var AuthorizationFlow = /* @__PURE__ */ ((AuthorizationFlow2) => {
+  AuthorizationFlow2["Oauth2Redirect"] = "Oauth2Redirect";
+  AuthorizationFlow2["PresentationDuringIssuance"] = "PresentationDuringIssuance";
+  return AuthorizationFlow2;
+})(AuthorizationFlow || {});
+var Openid4vciClient = class {
+  constructor(options) {
+    this.options = options;
+    this.oauth2Client = new Oauth2Client({
+      callbacks: this.options.callbacks
+    });
+  }
+  getKnownCredentialConfigurationsSupported(credentialIssuerMetadata) {
+    return extractKnownCredentialConfigurationSupportedFormats(
+      credentialIssuerMetadata.credential_configurations_supported
+    );
+  }
+  /**
+   * Resolve a credential offer into a credential offer object, handling both
+   * 'credential_offer' and 'credential_offer_uri' params.
+   */
+  async resolveCredentialOffer(credentialOffer) {
+    return resolveCredentialOffer(credentialOffer, {
+      fetch: this.options.callbacks.fetch
+    });
+  }
+  async resolveIssuerMetadata(credentialIssuer) {
+    return resolveIssuerMetadata(credentialIssuer, {
+      fetch: this.options.callbacks.fetch
+    });
+  }
+  /**
+   * Retrieve an authorization code for a presentation during issuance session
+   *
+   * This can only be called if an authorization challenge was performed before and returned a
+   * `presentation` paramater along with an `auth_session`. If the presentation response included
+   * an `presentation_during_issuance_session` parameter it MUST be included in this request as well.
+   */
+  async retrieveAuthorizationCodeUsingPresentation(options) {
+    if (!options.credentialOffer.grants?.[authorizationCodeGrantIdentifier2]) {
+      throw new Oauth2Error7(`Provided credential offer does not include the 'authorization_code' grant.`);
+    }
+    const authorizationCodeGrant = options.credentialOffer.grants[authorizationCodeGrantIdentifier2];
+    const authorizationServer = determineAuthorizationServerForCredentialOffer({
+      issuerMetadata: options.issuerMetadata,
+      grantAuthorizationServer: authorizationCodeGrant.authorization_server
+    });
+    const authorizationServerMetadata = getAuthorizationServerMetadataFromList2(
+      options.issuerMetadata.authorizationServers,
+      authorizationServer
+    );
+    const oauth2Client = new Oauth2Client({ callbacks: this.options.callbacks });
+    const { authorizationChallengeResponse, dpop } = await oauth2Client.sendAuthorizationChallengeRequest({
+      authorizationServerMetadata,
+      authSession: options.authSession,
+      presentationDuringIssuanceSession: options.presentationDuringIssuanceSession,
+      dpop: options.dpop
+    });
+    return { authorizationChallengeResponse, dpop };
+  }
+  /**
+   * Initiates authorization for credential issuance. It handles the following cases:
+   * - Authorization Challenge
+   * - Pushed Authorization Request
+   * - Regular Authorization url
+   *
+   * In case the authorization challenge request returns an error with `insufficient_authorization`
+   * with a `presentation` field it means the authorization server expects presentation of credentials
+   * before issuance of crednetials. If this is the case, the value in `presentation` should be treated
+   * as an openid4vp authorization request and submitted to the verifier. Once the presentation response
+   * has been submitted, the RP will respnosd with a `presentation_during_issuance_session` parameter.
+   * Together with the `auth_session` parameter returned in this call you can retrieve an `authorization_code`
+   * using
+   */
+  async initiateAuthorization(options) {
+    if (!options.credentialOffer.grants?.[authorizationCodeGrantIdentifier2]) {
+      throw new Oauth2Error7(`Provided credential offer does not include the 'authorization_code' grant.`);
+    }
+    const authorizationCodeGrant = options.credentialOffer.grants[authorizationCodeGrantIdentifier2];
+    const authorizationServer = determineAuthorizationServerForCredentialOffer({
+      issuerMetadata: options.issuerMetadata,
+      grantAuthorizationServer: authorizationCodeGrant.authorization_server
+    });
+    const authorizationServerMetadata = getAuthorizationServerMetadataFromList2(
+      options.issuerMetadata.authorizationServers,
+      authorizationServer
+    );
+    const oauth2Client = new Oauth2Client({ callbacks: this.options.callbacks });
+    try {
+      const result = await oauth2Client.initiateAuthorization({
+        clientId: options.clientId,
+        pkceCodeVerifier: options.pkceCodeVerifier,
+        redirectUri: options.redirectUri,
+        scope: options.scope,
+        additionalRequestPayload: {
+          ...options.additionalRequestPayload,
+          issuer_state: options.credentialOffer?.grants?.authorization_code?.issuer_state
+        },
+        dpop: options.dpop,
+        clientAttestation: options.clientAttestation,
+        resource: options.issuerMetadata.credentialIssuer.credential_issuer,
+        authorizationServerMetadata
+      });
+      return {
+        ...result,
+        authorizationFlow: "Oauth2Redirect" /* Oauth2Redirect */,
+        authorizationServer: authorizationServerMetadata.issuer
+      };
+    } catch (error) {
+      if (error instanceof Oauth2ClientAuthorizationChallengeError && error.errorResponse.error === Oauth2ErrorCodes2.InsufficientAuthorization && error.errorResponse.presentation) {
+        if (!error.errorResponse.auth_session) {
+          throw new Openid4vciError(
+            `Expected 'auth_session' to be defined with authorization challenge response error '${error.errorResponse.error}' and 'presentation' parameter`
+          );
+        }
+        return {
+          authorizationFlow: "PresentationDuringIssuance" /* PresentationDuringIssuance */,
+          openid4vpRequestUrl: error.errorResponse.presentation,
+          authSession: error.errorResponse.auth_session,
+          authorizationServer: authorizationServerMetadata.issuer
+        };
+      }
+      throw error;
+    }
+  }
+  /**
+   * Convenience method around {@link Oauth2Client.createAuthorizationRequestUrl}
+   * but specifically focused on a credential offer
+   */
+  async createAuthorizationRequestUrlFromOffer(options) {
+    if (!options.credentialOffer.grants?.[authorizationCodeGrantIdentifier2]) {
+      throw new Oauth2Error7(`Provided credential offer does not include the 'authorization_code' grant.`);
+    }
+    const authorizationCodeGrant = options.credentialOffer.grants[authorizationCodeGrantIdentifier2];
+    const authorizationServer = determineAuthorizationServerForCredentialOffer({
+      issuerMetadata: options.issuerMetadata,
+      grantAuthorizationServer: authorizationCodeGrant.authorization_server
+    });
+    const authorizationServerMetadata = getAuthorizationServerMetadataFromList2(
+      options.issuerMetadata.authorizationServers,
+      authorizationServer
+    );
+    const { authorizationRequestUrl, pkce, dpop } = await this.oauth2Client.createAuthorizationRequestUrl({
+      authorizationServerMetadata,
+      clientId: options.clientId,
+      additionalRequestPayload: {
+        ...options.additionalRequestPayload,
+        issuer_state: options.credentialOffer?.grants?.authorization_code?.issuer_state
+      },
+      resource: options.issuerMetadata.credentialIssuer.credential_issuer,
+      redirectUri: options.redirectUri,
+      scope: options.scope,
+      pkceCodeVerifier: options.pkceCodeVerifier,
+      clientAttestation: options.clientAttestation,
+      dpop: options.dpop
+    });
+    return {
+      authorizationRequestUrl,
+      pkce,
+      dpop,
+      authorizationServer: authorizationServerMetadata.issuer
+    };
+  }
+  /**
+   * Convenience method around {@link Oauth2Client.retrievePreAuthorizedCodeAccessToken}
+   * but specifically focused on a credential offer
+   */
+  async retrievePreAuthorizedCodeAccessTokenFromOffer({
+    credentialOffer,
+    issuerMetadata,
+    additionalRequestPayload,
+    txCode,
+    dpop,
+    clientAttestation
+  }) {
+    if (!credentialOffer.grants?.[preAuthorizedCodeGrantIdentifier3]) {
+      throw new Oauth2Error7(`The credential offer does not contain the '${preAuthorizedCodeGrantIdentifier3}' grant.`);
+    }
+    if (credentialOffer.grants[preAuthorizedCodeGrantIdentifier3].tx_code && !txCode) {
+      throw new Oauth2Error7(
+        `Retrieving access token requires a 'tx_code' in the request, but the 'txCode' parameter was not provided.`
+      );
+    }
+    const preAuthorizedCode = credentialOffer.grants[preAuthorizedCodeGrantIdentifier3]["pre-authorized_code"];
+    const authorizationServer = determineAuthorizationServerForCredentialOffer({
+      grantAuthorizationServer: credentialOffer.grants[preAuthorizedCodeGrantIdentifier3].authorization_server,
+      issuerMetadata
+    });
+    const authorizationServerMetadata = getAuthorizationServerMetadataFromList2(
+      issuerMetadata.authorizationServers,
+      authorizationServer
+    );
+    const result = await this.oauth2Client.retrievePreAuthorizedCodeAccessToken({
+      authorizationServerMetadata,
+      preAuthorizedCode,
+      txCode,
+      resource: issuerMetadata.credentialIssuer.credential_issuer,
+      additionalRequestPayload,
+      dpop,
+      clientAttestation
+    });
+    return {
+      ...result,
+      authorizationServer
+    };
+  }
+  /**
+   * Convenience method around {@link Oauth2Client.retrieveAuthorizationCodeAccessTokenFrom}
+   * but specifically focused on a credential offer
+   */
+  async retrieveAuthorizationCodeAccessTokenFromOffer({
+    issuerMetadata,
+    additionalRequestPayload,
+    credentialOffer,
+    authorizationCode,
+    pkceCodeVerifier,
+    redirectUri,
+    dpop,
+    clientAttestation
+  }) {
+    if (!credentialOffer.grants?.[authorizationCodeGrantIdentifier2]) {
+      throw new Oauth2Error7(`The credential offer does not contain the '${authorizationCodeGrantIdentifier2}' grant.`);
+    }
+    const authorizationServer = determineAuthorizationServerForCredentialOffer({
+      grantAuthorizationServer: credentialOffer.grants[authorizationCodeGrantIdentifier2].authorization_server,
+      issuerMetadata
+    });
+    const authorizationServerMetadata = getAuthorizationServerMetadataFromList2(
+      issuerMetadata.authorizationServers,
+      authorizationServer
+    );
+    const result = await this.oauth2Client.retrieveAuthorizationCodeAccessToken({
+      authorizationServerMetadata,
+      authorizationCode,
+      pkceCodeVerifier,
+      additionalRequestPayload,
+      dpop,
+      clientAttestation,
+      redirectUri,
+      resource: issuerMetadata.credentialIssuer.credential_issuer
+    });
+    return {
+      ...result,
+      authorizationServer
+    };
+  }
+  /**
+   * Request a nonce to be used in credential request proofs from the `nonce_endpoint`
+   *
+   * @throws Openid4vciError - if no `nonce_endpoint` is configured in the issuer metadata
+   * @thrwos InvalidFetchResponseError - if the nonce endpoint did not return a succesfull response
+   * @throws ValidationError - if validating the nonce response failed
+   */
+  async requestNonce(options) {
+    return requestNonce(options);
+  }
+  /**
+   * Creates the jwt proof payload and header to be included in a credential request.
+   */
+  async createCredentialRequestJwtProof(options) {
+    const credentialConfiguration = options.issuerMetadata.credentialIssuer.credential_configurations_supported[options.credentialConfigurationId];
+    if (!credentialConfiguration) {
+      throw new Openid4vciError(
+        `Credential configuration with '${options.credentialConfigurationId}' not found in 'credential_configurations_supported' from credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
+      );
+    }
+    if (credentialConfiguration.proof_types_supported) {
+      if (!credentialConfiguration.proof_types_supported.jwt) {
+        throw new Openid4vciError(
+          `Credential configuration with id '${options.credentialConfigurationId}' does not support the 'jwt' proof type.`
+        );
+      }
+      if (!credentialConfiguration.proof_types_supported.jwt.proof_signing_alg_values_supported.includes(
+        options.signer.alg
+      )) {
+        throw new Openid4vciError(
+          `Credential configuration with id '${options.credentialConfigurationId}' does not support the '${options.signer.alg}' alg for 'jwt' proof type.`
+        );
+      }
+      if (credentialConfiguration.proof_types_supported.jwt.key_attestations_required && !options.keyAttestationJwt) {
+        throw new Openid4vciError(
+          `Credential configuration with id '${options.credentialConfigurationId}' requires key attestations for 'jwt' proof type but no 'keyAttestationJwt' was provided`
+        );
+      }
+    }
+    const jwt = await createCredentialRequestJwtProof({
+      credentialIssuer: options.issuerMetadata.credentialIssuer.credential_issuer,
+      signer: options.signer,
+      clientId: options.clientId,
+      issuedAt: options.issuedAt,
+      nonce: options.nonce,
+      keyAttestationJwt: options.keyAttestationJwt,
+      callbacks: this.options.callbacks
+    });
+    return {
+      jwt
+    };
+  }
+  /**
+   * @throws Openid4vciRetrieveCredentialsError - if an unsuccesfull response or the respnose couldn't be parsed as credential response
+   * @throws ValidationError - if validation of the credential request failed
+   * @throws Openid4vciError - if the `credentialConfigurationId` couldn't be found, or if the the format specific request couldn't be constructed
+   */
+  async retrieveCredentials({
+    issuerMetadata,
+    proof,
+    proofs,
+    credentialConfigurationId,
+    additionalRequestPayload,
+    accessToken,
+    dpop
+  }) {
+    const formatPayload = getCredentialRequestFormatPayloadForCredentialConfigurationId({
+      credentialConfigurationId,
+      issuerMetadata
+    });
+    const credentialResponse = await retrieveCredentialsWithFormat({
+      accessToken,
+      formatPayload,
+      issuerMetadata,
+      additionalRequestPayload,
+      proof,
+      proofs,
+      callbacks: this.options.callbacks,
+      dpop
+    });
+    if (!credentialResponse.ok) {
+      throw new Openid4vciRetrieveCredentialsError(
+        `Error retrieving credentials from '${issuerMetadata.credentialIssuer.credential_issuer}'`,
+        credentialResponse,
+        await credentialResponse.response.clone().text()
+      );
+    }
+    return credentialResponse;
+  }
+  /**
+   * @throws Openid4vciSendNotificationError - if an unsuccesfull response
+   * @throws ValidationError - if validation of the notification request failed
+   */
+  async sendNotification({
+    issuerMetadata,
+    notification,
+    additionalRequestPayload,
+    accessToken,
+    dpop
+  }) {
+    const notificationResponse = await sendNotifcation({
+      accessToken,
+      issuerMetadata,
+      additionalRequestPayload,
+      callbacks: this.options.callbacks,
+      dpop,
+      notification
+    });
+    if (!notificationResponse.ok) {
+      throw new Openid4vciSendNotificationError(
+        `Error sending notification to '${issuerMetadata.credentialIssuer.credential_issuer}'`,
+        notificationResponse
+      );
+    }
+    return notificationResponse;
+  }
+};
+
+// src/Openid4vciIssuer.ts
+import {
+  Oauth2ErrorCodes as Oauth2ErrorCodes3,
+  Oauth2JwtVerificationError,
+  Oauth2ServerErrorResponseError
+} from "@openid4vc/oauth2";
+import { ValidationError as ValidationError4, parseWithErrorHandling as parseWithErrorHandling10 } from "@openid4vc/utils";
+
+// src/credential-request/credential-response.ts
+import { parseWithErrorHandling as parseWithErrorHandling8 } from "@openid4vc/utils";
+function createCredentialResponse(options) {
+  const credentialResponse = parseWithErrorHandling8(zCredentialResponse, {
+    c_nonce: options.cNonce,
+    c_nonce_expires_in: options.cNonceExpiresInSeconds,
+    credential: options.credential,
+    credentials: options.credentials,
+    notification_id: options.notificationId,
+    // NOTE `format` is removed in draft 13. For now if a format was requested
+    // we just always return it in the response as well.
+    format: options.credentialRequest.format?.format,
+    ...options.additionalPayload
+  });
+  return credentialResponse;
+}
+
+// src/credential-request/parse-credential-request.ts
+import { parseWithErrorHandling as parseWithErrorHandling9 } from "@openid4vc/utils";
+import z20 from "zod";
+function parseCredentialRequest(options) {
+  const credentialRequest = parseWithErrorHandling9(
+    zCredentialRequest,
+    options.credentialRequest,
+    "Error validating credential request"
+  );
+  let proofs = void 0;
+  const knownProofs = zCredentialRequestProofs.strict().safeParse(credentialRequest.proofs);
+  if (knownProofs.success) {
+    proofs = knownProofs.data;
+  }
+  const knownProof = z20.union(allCredentialRequestProofs).safeParse(credentialRequest.proof);
+  if (knownProof.success && knownProof.data.proof_type === jwtProofTypeIdentifier) {
+    proofs = { [jwtProofTypeIdentifier]: [knownProof.data.jwt] };
+  } else if (knownProof.success && knownProof.data.proof_type === attestationProofTypeIdentifier) {
+    proofs = { [attestationProofTypeIdentifier]: [knownProof.data.attestation] };
+  }
+  if (credentialRequest.credential_identifier) {
+    return {
+      credentialIdentifier: credentialRequest.credential_identifier,
+      credentialRequest,
+      proofs
+    };
+  }
+  if (credentialRequest.format && allCredentialRequestFormatIdentifiers.includes(credentialRequest.format)) {
+    return {
+      // Removes all claims that are not specific to this format
+      format: parseWithErrorHandling9(
+        z20.union(allCredentialRequestFormats),
+        credentialRequest,
+        "Unable to validate format specific properties from credential request"
+      ),
+      credentialRequest,
+      proofs
+    };
+  }
+  return {
+    credentialRequest,
+    proofs
+  };
+}
+
+// src/formats/proof-type/attestation/attestation-proof-type.ts
+async function verifyCredentialRequestAttestationProof(options) {
+  const verificationResult = await verifyKeyAttestationJwt({
+    ...options,
+    use: "proof_type.attestation"
+  });
+  return verificationResult;
+}
+
+// src/Openid4vciIssuer.ts
+var Openid4vciIssuer = class {
+  constructor(options) {
+    this.options = options;
+  }
+  getCredentialIssuerMetadataDraft11(credentialIssuerMetadata) {
+    return parseWithErrorHandling10(zCredentialIssuerMetadataWithDraft11, credentialIssuerMetadata);
+  }
+  getKnownCredentialConfigurationsSupported(credentialIssuerMetadata) {
+    return extractKnownCredentialConfigurationSupportedFormats(
+      credentialIssuerMetadata.credential_configurations_supported
+    );
+  }
+  /**
+   * Create issuer metadata and validates the structure is correct
+   */
+  createCredentialIssuerMetadata(credentialIssuerMetadata) {
+    return parseWithErrorHandling10(
+      zCredentialIssuerMetadata,
+      credentialIssuerMetadata,
+      "Error validating credential issuer metadata"
+    );
+  }
+  async createCredentialOffer(options) {
+    return createCredentialOffer({
+      callbacks: this.options.callbacks,
+      credentialConfigurationIds: options.credentialConfigurationIds,
+      grants: options.grants,
+      issuerMetadata: options.issuerMetadata,
+      additionalPayload: options.additionalPayload,
+      credentialOfferScheme: options.credentialOfferScheme,
+      credentialOfferUri: options.credentialOfferUri
+    });
+  }
+  /**
+   * @throws Oauth2ServerErrorResponseError - if verification of the jwt failed. You can extract
+   *  the credential error response from this.
+   */
+  async verifyCredentialRequestJwtProof(options) {
+    try {
+      return await verifyCredentialRequestJwtProof({
+        callbacks: this.options.callbacks,
+        credentialIssuer: options.issuerMetadata.credentialIssuer.credential_issuer,
+        expectedNonce: options.expectedNonce,
+        nonceExpiresAt: options.nonceExpiresAt,
+        jwt: options.jwt,
+        clientId: options.clientId,
+        now: options.now
+      });
+    } catch (error) {
+      throw new Oauth2ServerErrorResponseError(
+        {
+          error: Oauth2ErrorCodes3.InvalidProof,
+          error_description: (
+            // TOOD: error should have a internalErrorMessage and a publicErrorMessage
+            error instanceof Oauth2JwtVerificationError || error instanceof Openid4vciError ? error.message : "Invalid proof"
+          )
+        },
+        {
+          internalMessage: "Error verifying credential request proof jwt",
+          cause: error
+        }
+      );
+    }
+  }
+  /**
+   * @throws Oauth2ServerErrorResponseError - if verification of the key attestation failed. You can extract
+   *  the credential error response from this.
+   */
+  async verifyCredentialRequestAttestationProof(options) {
+    try {
+      return await verifyCredentialRequestAttestationProof({
+        callbacks: this.options.callbacks,
+        expectedNonce: options.expectedNonce,
+        keyAttestationJwt: options.keyAttestationJwt,
+        nonceExpiresAt: options.nonceExpiresAt,
+        now: options.now
+      });
+    } catch (error) {
+      throw new Oauth2ServerErrorResponseError(
+        {
+          error: Oauth2ErrorCodes3.InvalidProof,
+          error_description: (
+            // TOOD: error should have a internalErrorMessage and a publicErrorMessage
+            error instanceof Oauth2JwtVerificationError || error instanceof Openid4vciError ? error.message : "Invalid proof"
+          )
+        },
+        {
+          internalMessage: "Error verifying credential request proof attestation",
+          cause: error
+        }
+      );
+    }
+  }
+  /**
+   * @throws Oauth2ServerErrorResponseError - when validation of the credential request fails
+   *  You can extract the credential error response from this.
+   */
+  parseCredentialRequest(options) {
+    try {
+      return parseCredentialRequest(options);
+    } catch (error) {
+      throw new Oauth2ServerErrorResponseError(
+        {
+          error: Oauth2ErrorCodes3.InvalidCredentialRequest,
+          error_description: (
+            // TODO: error should have a internalErrorMessage and a publicErrorMessage
+            error instanceof ValidationError4 ? error.message : "Invalid request"
+          )
+        },
+        {
+          internalMessage: "Error verifying credential request proof jwt",
+          cause: error
+        }
+      );
+    }
+  }
+  /**
+   * @throws ValidationError - when validation of the credential response fails
+   */
+  createCredentialResponse(options) {
+    return createCredentialResponse(options);
+  }
+  /**
+   * @throws ValidationError - when validation of the nonce response fails
+   */
+  createNonceResponse(options) {
+    return createNonceResponse(options);
+  }
+};
+export {
+  AuthorizationFlow,
+  Openid4vciClient,
+  Openid4vciDraftVersion,
+  Openid4vciError,
+  Openid4vciIssuer,
+  Openid4vciRetrieveCredentialsError,
+  Openid4vciSendNotificationError,
+  credentialsSupportedToCredentialConfigurationsSupported,
+  extractScopesForCredentialConfigurationIds,
+  getCredentialConfigurationsMatchingRequestFormat,
+  getGlobalConfig2 as getGlobalConfig,
+  setGlobalConfig
+};
+//# sourceMappingURL=index.mjs.map