npm - @openid4vc/openid4vci - Versions diffs - 0.3.0-alpha-20250324183425 → 0.3.0-alpha-20250325212250 - Mend

@openid4vc/openid4vci 0.3.0-alpha-20250324183425 → 0.3.0-alpha-20250325212250

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -37,6 +37,7 @@ __export(src_exports, {
   Openid4vciIssuer: () => Openid4vciIssuer,
   Openid4vciRetrieveCredentialsError: () => Openid4vciRetrieveCredentialsError,
   Openid4vciSendNotificationError: () => Openid4vciSendNotificationError,
+  Openid4vciWalletProvider: () => Openid4vciWalletProvider,
   credentialsSupportedToCredentialConfigurationsSupported: () => credentialsSupportedToCredentialConfigurationsSupported,
   extractScopesForCredentialConfigurationIds: () => extractScopesForCredentialConfigurationIds,
   getCredentialConfigurationsMatchingRequestFormat: () => getCredentialConfigurationsMatchingRequestFormat,
@@ -56,117 +57,81 @@ var import_utils3 = require("@openid4vc/utils");
 // src/metadata/credential-issuer/z-credential-issuer-metadata.ts
 var import_oauth22 = require("@openid4vc/oauth2");
 var import_utils2 = require("@openid4vc/utils");
-var import_zod9 = __toESM(require("zod"));
+var import_zod11 = __toESM(require("zod"));
 // src/formats/credential/mso-mdoc/z-mso-mdoc.ts
-var import_zod3 = __toESM(require("zod"));
-// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
 var import_zod2 = __toESM(require("zod"));
-// src/key-attestation/z-key-attestation.ts
-var import_oauth2 = require("@openid4vc/oauth2");
-var import_utils = require("@openid4vc/utils");
+// src/metadata/credential-issuer/z-claims-description.ts
 var import_zod = __toESM(require("zod"));
-var zKeyAttestationJwtHeader = import_zod.default.object({
-  ...import_oauth2.zJwtHeader.shape,
-  typ: import_zod.default.literal("keyattestation+jwt")
-}).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
-  message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
-}).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
-  message: `When 'trust_chain' is provided, 'kid' is required`
-});
-var zIso18045 = import_zod.default.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
-var zIso18045OrStringArray = import_zod.default.array(import_zod.default.union([zIso18045, import_zod.default.string()]));
-var zKeyAttestationJwtPayload = import_zod.default.object({
-  ...import_oauth2.zJwtPayload.shape,
-  iat: import_utils.zInteger,
-  attested_keys: import_zod.default.array(import_oauth2.zJwk),
-  key_storage: import_zod.default.optional(zIso18045OrStringArray),
-  user_authentication: import_zod.default.optional(zIso18045OrStringArray),
-  certification: import_zod.default.optional(import_zod.default.string())
-}).passthrough();
-var zKeyAttestationJwtPayloadForUse = (use) => import_zod.default.object({
-  ...zKeyAttestationJwtPayload.shape,
-  // REQUIRED when used as proof_type.attesation directly
-  nonce: use === "proof_type.attestation" ? import_zod.default.string({
-    message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly`
-  }) : import_zod.default.optional(import_zod.default.string()),
-  // REQUIRED when used within header of proof_type.jwt
-  exp: use === "proof_type.jwt" ? import_utils.zInteger : import_zod.default.optional(import_utils.zInteger)
-}).passthrough();
-// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
-var zCredentialConfigurationSupportedClaims = import_zod2.default.object({
-  mandatory: import_zod2.default.boolean().optional(),
-  value_type: import_zod2.default.string().optional(),
-  display: import_zod2.default.object({
-    name: import_zod2.default.string().optional(),
-    locale: import_zod2.default.string().optional()
+var zCredentialConfigurationSupportedClaimsDraft14 = import_zod.default.object({
+  mandatory: import_zod.default.boolean().optional(),
+  value_type: import_zod.default.string().optional(),
+  display: import_zod.default.object({
+    name: import_zod.default.string().optional(),
+    locale: import_zod.default.string().optional()
   }).passthrough().optional()
 }).passthrough();
-var zCredentialConfigurationSupportedCommon = import_zod2.default.object({
-  format: import_zod2.default.string(),
-  scope: import_zod2.default.string().optional(),
-  cryptographic_binding_methods_supported: import_zod2.default.array(import_zod2.default.string()).optional(),
-  credential_signing_alg_values_supported: import_zod2.default.array(import_zod2.default.string()).optional(),
-  proof_types_supported: import_zod2.default.record(
-    import_zod2.default.union([import_zod2.default.literal("jwt"), import_zod2.default.literal("attestation"), import_zod2.default.string()]),
-    import_zod2.default.object({
-      proof_signing_alg_values_supported: import_zod2.default.array(import_zod2.default.string()),
-      key_attestations_required: import_zod2.default.object({
-        key_storage: zIso18045OrStringArray.optional(),
-        user_authentication: zIso18045OrStringArray.optional()
-      }).passthrough().optional()
-    })
-  ).optional(),
-  display: import_zod2.default.array(
-    import_zod2.default.object({
-      name: import_zod2.default.string(),
-      locale: import_zod2.default.string().optional(),
-      logo: import_zod2.default.object({
-        // FIXME: make required again, but need to support draft 11 first
-        uri: import_zod2.default.string().optional(),
-        alt_text: import_zod2.default.string().optional()
-      }).passthrough().optional(),
-      description: import_zod2.default.string().optional(),
-      background_color: import_zod2.default.string().optional(),
-      background_image: import_zod2.default.object({
-        // TODO: should be required, but paradym's metadata is wrong here.
-        uri: import_zod2.default.string().optional()
-      }).passthrough().optional(),
-      text_color: import_zod2.default.string().optional()
+var zClaimsDescriptionPath = import_zod.default.array(import_zod.default.union([import_zod.default.string(), import_zod.default.number().int().nonnegative(), import_zod.default.null()])).nonempty();
+var zMsoMdocClaimsDescriptionPath = import_zod.default.tuple([import_zod.default.string(), import_zod.default.string()], {
+  message: "mso_mdoc claims description path MUST be an array with exactly two string elements, pointing to the namespace and element identifier within an mdoc credential"
+});
+var zIssuerMetadataClaimsDescription = import_zod.default.object({
+  path: zClaimsDescriptionPath,
+  mandatory: import_zod.default.boolean().optional(),
+  display: import_zod.default.array(
+    import_zod.default.object({
+      name: import_zod.default.string().optional(),
+      locale: import_zod.default.string().optional()
     }).passthrough()
   ).optional()
 }).passthrough();
+var zMsoMdocIssuerMetadataClaimsDescription = zIssuerMetadataClaimsDescription.extend({
+  path: zMsoMdocClaimsDescriptionPath
+});
 // src/formats/credential/mso-mdoc/z-mso-mdoc.ts
-var zMsoMdocFormatIdentifier = import_zod3.default.literal("mso_mdoc");
-var zMsoMdocCredentialIssuerMetadata = import_zod3.default.object({
+var zMsoMdocFormatIdentifier = import_zod2.default.literal("mso_mdoc");
+var zMsoMdocCredentialIssuerMetadata = import_zod2.default.object({
   format: zMsoMdocFormatIdentifier,
-  doctype: import_zod3.default.string(),
-  claims: import_zod3.default.optional(zCredentialConfigurationSupportedClaims),
-  order: import_zod3.default.optional(import_zod3.default.array(import_zod3.default.string()))
+  doctype: import_zod2.default.string(),
+  claims: import_zod2.default.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
 });
-var zMsoMdocCredentialRequestFormat = import_zod3.default.object({
+var zMsoMdocCredentialIssuerMetadataDraft14 = import_zod2.default.object({
   format: zMsoMdocFormatIdentifier,
-  doctype: import_zod3.default.string(),
-  claims: import_zod3.default.optional(zCredentialConfigurationSupportedClaims)
+  doctype: import_zod2.default.string(),
+  claims: zCredentialConfigurationSupportedClaimsDraft14.optional(),
+  order: import_zod2.default.optional(import_zod2.default.array(import_zod2.default.string()))
+});
+var zMsoMdocCredentialRequestFormatDraft14 = import_zod2.default.object({
+  format: zMsoMdocFormatIdentifier,
+  doctype: import_zod2.default.string(),
+  // Format based request is removed in Draft 15, so only old claims syntax supported.
+  claims: import_zod2.default.optional(zCredentialConfigurationSupportedClaimsDraft14)
 });
 // src/formats/credential/sd-jwt-vc/z-sd-jwt-vc.ts
-var import_zod4 = __toESM(require("zod"));
-var zSdJwtVcFormatIdentifier = import_zod4.default.literal("vc+sd-jwt");
-var zSdJwtVcCredentialIssuerMetadata = import_zod4.default.object({
-  vct: import_zod4.default.string(),
+var import_zod3 = __toESM(require("zod"));
+var zSdJwtVcFormatIdentifier = import_zod3.default.literal("vc+sd-jwt");
+var zSdJwtVcCredentialIssuerMetadataDraft14 = import_zod3.default.object({
+  vct: import_zod3.default.string(),
   format: zSdJwtVcFormatIdentifier,
-  claims: import_zod4.default.optional(zCredentialConfigurationSupportedClaims),
-  order: import_zod4.default.optional(import_zod4.default.array(import_zod4.default.string()))
+  claims: import_zod3.default.optional(zCredentialConfigurationSupportedClaimsDraft14),
+  order: import_zod3.default.optional(import_zod3.default.array(import_zod3.default.string()))
 });
-var zSdJwtVcCredentialRequestFormat = import_zod4.default.object({
+var zSdJwtVcCredentialRequestFormatDraft14 = import_zod3.default.object({
   format: zSdJwtVcFormatIdentifier,
+  vct: import_zod3.default.string(),
+  claims: import_zod3.default.optional(zCredentialConfigurationSupportedClaimsDraft14)
+});
+// src/formats/credential/sd-jwt-dc/z-sd-jwt-dc.ts
+var import_zod4 = __toESM(require("zod"));
+var zSdJwtDcFormatIdentifier = import_zod4.default.literal("dc+sd-jwt");
+var zSdJwtDcCredentialIssuerMetadata = import_zod4.default.object({
   vct: import_zod4.default.string(),
-  claims: import_zod4.default.optional(zCredentialConfigurationSupportedClaims)
+  format: zSdJwtDcFormatIdentifier,
+  claims: import_zod4.default.array(zIssuerMetadataClaimsDescription).optional()
 });
 // src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
@@ -174,7 +139,7 @@ var import_zod6 = __toESM(require("zod"));
 // src/formats/credential/w3c-vc/z-w3c-vc-common.ts
 var import_zod5 = __toESM(require("zod"));
-var zCredentialSubjectLeafType = import_zod5.default.object({
+var zCredentialSubjectLeafTypeDraft14 = import_zod5.default.object({
   mandatory: import_zod5.default.boolean().optional(),
   value_type: import_zod5.default.string().optional(),
   display: import_zod5.default.array(
@@ -184,19 +149,30 @@ var zCredentialSubjectLeafType = import_zod5.default.object({
     }).passthrough()
   ).optional()
 }).passthrough();
-var zClaimValueSchema = import_zod5.default.union([import_zod5.default.array(import_zod5.default.any()), import_zod5.default.record(import_zod5.default.string(), import_zod5.default.any()), zCredentialSubjectLeafType]);
-var zW3cVcCredentialSubject = import_zod5.default.record(import_zod5.default.string(), zClaimValueSchema);
+var zClaimValueSchemaDraft14 = import_zod5.default.union([
+  import_zod5.default.array(import_zod5.default.any()),
+  import_zod5.default.record(import_zod5.default.string(), import_zod5.default.any()),
+  zCredentialSubjectLeafTypeDraft14
+]);
+var zW3cVcCredentialSubjectDraft14 = import_zod5.default.record(import_zod5.default.string(), zClaimValueSchemaDraft14);
 var zW3cVcJsonLdCredentialDefinition = import_zod5.default.object({
   "@context": import_zod5.default.array(import_zod5.default.string()),
-  type: import_zod5.default.array(import_zod5.default.string()),
-  credentialSubject: zW3cVcCredentialSubject.optional()
+  type: import_zod5.default.array(import_zod5.default.string())
 }).passthrough();
+var zW3cVcJsonLdCredentialDefinitionDraft14 = zW3cVcJsonLdCredentialDefinition.extend({
+  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
+});
 // src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
 var zLdpVcFormatIdentifier = import_zod6.default.literal("ldp_vc");
 var zLdpVcCredentialIssuerMetadata = import_zod6.default.object({
   format: zLdpVcFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition,
+  claims: zIssuerMetadataClaimsDescription.optional()
+});
+var zLdpVcCredentialIssuerMetadataDraft14 = import_zod6.default.object({
+  format: zLdpVcFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
   order: import_zod6.default.array(import_zod6.default.string()).optional()
 });
 var zLdpVcCredentialIssuerMetadataDraft11 = import_zod6.default.object({
@@ -206,7 +182,7 @@ var zLdpVcCredentialIssuerMetadataDraft11 = import_zod6.default.object({
   // As well as using types instead of type
   "@context": import_zod6.default.array(import_zod6.default.string()),
   types: import_zod6.default.array(import_zod6.default.string()),
-  credentialSubject: zW3cVcCredentialSubject.optional()
+  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDraft11.transform(
   ({ "@context": context, types, credentialSubject, ...rest }) => ({
@@ -219,14 +195,14 @@ var zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDr
     }
   })
 );
-var zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+var zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
   ...rest,
   ...credentialDefinition,
   types: type
 })).pipe(zLdpVcCredentialIssuerMetadataDraft11);
-var zLdpVcCredentialRequestFormat = import_zod6.default.object({
+var zLdpVcCredentialRequestFormatDraft14 = import_zod6.default.object({
   format: zLdpVcFormatIdentifier,
-  credential_definition: zW3cVcJsonLdCredentialDefinition
+  credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14
 });
 var zLdpVcCredentialRequestDraft11 = import_zod6.default.object({
   format: zLdpVcFormatIdentifier,
@@ -234,7 +210,7 @@ var zLdpVcCredentialRequestDraft11 = import_zod6.default.object({
     "@context": import_zod6.default.array(import_zod6.default.string()),
     // credential_definition was using types instead of type in v11
     types: import_zod6.default.array(import_zod6.default.string()),
-    credentialSubject: zW3cVcCredentialSubject.optional()
+    credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
   })
 }).passthrough();
 var zLdpVcCredentialRequestDraft11To14 = zLdpVcCredentialRequestDraft11.transform(
@@ -246,7 +222,7 @@ var zLdpVcCredentialRequestDraft11To14 = zLdpVcCredentialRequestDraft11.transfor
     }
   })
 );
-var zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
+var zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
   ...rest,
   credential_definition: {
     ...restCredentialDefinition,
@@ -260,6 +236,11 @@ var zJwtVcJsonLdFormatIdentifier = import_zod7.default.literal("jwt_vc_json-ld")
 var zJwtVcJsonLdCredentialIssuerMetadata = import_zod7.default.object({
   format: zJwtVcJsonLdFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition,
+  claims: zIssuerMetadataClaimsDescription.optional()
+});
+var zJwtVcJsonLdCredentialIssuerMetadataDraft14 = import_zod7.default.object({
+  format: zJwtVcJsonLdFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
   order: import_zod7.default.optional(import_zod7.default.array(import_zod7.default.string()))
 });
 var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = import_zod7.default.object({
@@ -269,7 +250,7 @@ var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = import_zod7.default.object({
   // As well as using types instead of type
   "@context": import_zod7.default.array(import_zod7.default.string()),
   types: import_zod7.default.array(import_zod7.default.string()),
-  credentialSubject: zW3cVcCredentialSubject.optional()
+  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssuerMetadataDraft11.transform(
   ({ "@context": context, types, credentialSubject, ...rest }) => ({
@@ -282,12 +263,12 @@ var zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssu
     }
   })
 );
-var zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+var zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
   ...rest,
   ...credentialDefinition,
   types: type
 })).pipe(zJwtVcJsonLdCredentialIssuerMetadataDraft11);
-var zJwtVcJsonLdCredentialRequestFormat = import_zod7.default.object({
+var zJwtVcJsonLdCredentialRequestFormatDraft14 = import_zod7.default.object({
   format: zJwtVcJsonLdFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition
 });
@@ -297,7 +278,7 @@ var zJwtVcJsonLdCredentialRequestDraft11 = import_zod7.default.object({
     "@context": import_zod7.default.array(import_zod7.default.string()),
     // credential_definition was using types instead of type in v11
     types: import_zod7.default.array(import_zod7.default.string()),
-    credentialSubject: import_zod7.default.optional(zW3cVcCredentialSubject)
+    credentialSubject: import_zod7.default.optional(zW3cVcCredentialSubjectDraft14)
   }).passthrough()
 }).passthrough();
 var zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraft11.transform(
@@ -309,7 +290,7 @@ var zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraf
     }
   })
 );
-var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
+var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
   ...rest,
   credential_definition: {
     ...restCredentialDefinition,
@@ -321,12 +302,19 @@ var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestForm
 var import_zod8 = __toESM(require("zod"));
 var zJwtVcJsonFormatIdentifier = import_zod8.default.literal("jwt_vc_json");
 var zJwtVcJsonCredentialDefinition = import_zod8.default.object({
-  type: import_zod8.default.array(import_zod8.default.string()),
-  credentialSubject: zW3cVcCredentialSubject.optional()
+  type: import_zod8.default.array(import_zod8.default.string())
 }).passthrough();
+var zJwtVcJsonCredentialDefinitionDraft14 = zJwtVcJsonCredentialDefinition.extend({
+  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
+});
 var zJwtVcJsonCredentialIssuerMetadata = import_zod8.default.object({
   format: zJwtVcJsonFormatIdentifier,
   credential_definition: zJwtVcJsonCredentialDefinition,
+  claims: zIssuerMetadataClaimsDescription.optional()
+});
+var zJwtVcJsonCredentialIssuerMetadataDraft14 = import_zod8.default.object({
+  format: zJwtVcJsonFormatIdentifier,
+  credential_definition: zJwtVcJsonCredentialDefinitionDraft14,
   order: import_zod8.default.array(import_zod8.default.string()).optional()
 });
 var zJwtVcJsonCredentialIssuerMetadataDraft11 = import_zod8.default.object({
@@ -335,7 +323,7 @@ var zJwtVcJsonCredentialIssuerMetadataDraft11 = import_zod8.default.object({
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
   types: import_zod8.default.array(import_zod8.default.string()),
-  credentialSubject: zW3cVcCredentialSubject.optional()
+  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMetadataDraft11.transform(
   ({ types, credentialSubject, ...rest }) => ({
@@ -347,12 +335,12 @@ var zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMe
     }
   })
 );
-var zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+var zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
   ...rest,
   types: type,
   ...credentialDefinition
 })).pipe(zJwtVcJsonCredentialIssuerMetadataDraft11);
-var zJwtVcJsonCredentialRequestFormat = import_zod8.default.object({
+var zJwtVcJsonCredentialRequestFormatDraft14 = import_zod8.default.object({
   format: zJwtVcJsonFormatIdentifier,
   credential_definition: zJwtVcJsonCredentialDefinition
 });
@@ -361,7 +349,7 @@ var zJwtVcJsonCredentialRequestDraft11 = import_zod8.default.object({
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
   types: import_zod8.default.array(import_zod8.default.string()),
-  credentialSubject: import_zod8.default.optional(zW3cVcCredentialSubject)
+  credentialSubject: import_zod8.default.optional(zW3cVcCredentialSubjectDraft14)
 }).passthrough();
 var zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.transform(
   ({ types, credentialSubject, ...rest }) => {
@@ -375,7 +363,7 @@ var zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.
     };
   }
 );
-var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
   ...rest,
   types: type,
   ...credentialDefinition
@@ -383,18 +371,95 @@ var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormat.p
 // src/version.ts
 var Openid4vciDraftVersion = /* @__PURE__ */ ((Openid4vciDraftVersion2) => {
+  Openid4vciDraftVersion2["Draft15"] = "Draft15";
   Openid4vciDraftVersion2["Draft14"] = "Draft14";
   Openid4vciDraftVersion2["Draft11"] = "Draft11";
   return Openid4vciDraftVersion2;
 })(Openid4vciDraftVersion || {});
+// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
+var import_zod10 = __toESM(require("zod"));
+// src/key-attestation/z-key-attestation.ts
+var import_oauth2 = require("@openid4vc/oauth2");
+var import_utils = require("@openid4vc/utils");
+var import_zod9 = __toESM(require("zod"));
+var zKeyAttestationJwtHeader = import_zod9.default.object({
+  ...import_oauth2.zJwtHeader.shape,
+  typ: import_zod9.default.literal("keyattestation+jwt")
+}).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
+  message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
+}).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
+  message: `When 'trust_chain' is provided, 'kid' is required`
+});
+var zIso18045 = import_zod9.default.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
+var zIso18045OrStringArray = import_zod9.default.array(import_zod9.default.union([zIso18045, import_zod9.default.string()]));
+var zKeyAttestationJwtPayload = import_zod9.default.object({
+  ...import_oauth2.zJwtPayload.shape,
+  iat: import_utils.zInteger,
+  attested_keys: import_zod9.default.array(import_oauth2.zJwk),
+  key_storage: import_zod9.default.optional(zIso18045OrStringArray),
+  user_authentication: import_zod9.default.optional(zIso18045OrStringArray),
+  certification: import_zod9.default.optional(import_zod9.default.string().url())
+}).passthrough();
+var zKeyAttestationJwtPayloadForUse = (use) => import_zod9.default.object({
+  ...zKeyAttestationJwtPayload.shape,
+  // REQUIRED when used as proof_type.attesation directly
+  nonce: use === "proof_type.attestation" ? import_zod9.default.string({
+    message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly`
+  }) : import_zod9.default.optional(import_zod9.default.string()),
+  // REQUIRED when used within header of proof_type.jwt
+  exp: use === "proof_type.jwt" ? import_utils.zInteger : import_zod9.default.optional(import_utils.zInteger)
+}).passthrough();
+// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
+var zCredentialConfigurationSupportedCommon = import_zod10.default.object({
+  format: import_zod10.default.string(),
+  scope: import_zod10.default.string().optional(),
+  cryptographic_binding_methods_supported: import_zod10.default.array(import_zod10.default.string()).optional(),
+  credential_signing_alg_values_supported: import_zod10.default.array(import_zod10.default.string()).optional(),
+  proof_types_supported: import_zod10.default.record(
+    import_zod10.default.union([import_zod10.default.literal("jwt"), import_zod10.default.literal("attestation"), import_zod10.default.string()]),
+    import_zod10.default.object({
+      proof_signing_alg_values_supported: import_zod10.default.array(import_zod10.default.string()),
+      key_attestations_required: import_zod10.default.object({
+        key_storage: zIso18045OrStringArray.optional(),
+        user_authentication: zIso18045OrStringArray.optional()
+      }).passthrough().optional()
+    })
+  ).optional(),
+  display: import_zod10.default.array(
+    import_zod10.default.object({
+      name: import_zod10.default.string(),
+      locale: import_zod10.default.string().optional(),
+      logo: import_zod10.default.object({
+        // FIXME: make required again, but need to support draft 11 first
+        uri: import_zod10.default.string().optional(),
+        alt_text: import_zod10.default.string().optional()
+      }).passthrough().optional(),
+      description: import_zod10.default.string().optional(),
+      background_color: import_zod10.default.string().optional(),
+      background_image: import_zod10.default.object({
+        // TODO: should be required, but paradym's metadata is wrong here.
+        uri: import_zod10.default.string().optional()
+      }).passthrough().optional(),
+      text_color: import_zod10.default.string().optional()
+    }).passthrough()
+  ).optional()
+}).passthrough();
 // src/metadata/credential-issuer/z-credential-issuer-metadata.ts
 var allCredentialIssuerMetadataFormats = [
-  zSdJwtVcCredentialIssuerMetadata,
+  zSdJwtDcCredentialIssuerMetadata,
   zMsoMdocCredentialIssuerMetadata,
   zJwtVcJsonLdCredentialIssuerMetadata,
   zLdpVcCredentialIssuerMetadata,
-  zJwtVcJsonCredentialIssuerMetadata
+  zJwtVcJsonCredentialIssuerMetadata,
+  zMsoMdocCredentialIssuerMetadataDraft14,
+  zSdJwtVcCredentialIssuerMetadataDraft14,
+  zJwtVcJsonLdCredentialIssuerMetadataDraft14,
+  zLdpVcCredentialIssuerMetadataDraft14,
+  zJwtVcJsonCredentialIssuerMetadataDraft14
 ];
 var allCredentialIssuerMetadataFormatIdentifiers = allCredentialIssuerMetadataFormats.map(
   (format) => format.shape.format.value
@@ -402,56 +467,69 @@ var allCredentialIssuerMetadataFormatIdentifiers = allCredentialIssuerMetadataFo
 var zCredentialConfigurationSupportedWithFormats = zCredentialConfigurationSupportedCommon.transform(
   (data, ctx) => {
     if (!allCredentialIssuerMetadataFormatIdentifiers.includes(data.format)) return data;
-    const result = import_zod9.default.object({}).passthrough().and(import_zod9.default.discriminatedUnion("format", allCredentialIssuerMetadataFormats)).safeParse(data);
+    const validators = allCredentialIssuerMetadataFormats.reduce(
+      (validators2, formatValidator) => {
+        const format = formatValidator.shape.format.value;
+        if (!validators2[format]) {
+          validators2[format] = [];
+        }
+        validators2[format].push(formatValidator);
+        return validators2;
+      },
+      {}
+    )[data.format];
+    const result = import_zod11.default.object({}).passthrough().and(
+      validators.length > 1 ? import_zod11.default.union(validators) : validators[0]
+    ).safeParse(data);
     if (result.success) {
       return result.data;
     }
     for (const issue of result.error.issues) {
       ctx.addIssue(issue);
     }
-    return import_zod9.default.NEVER;
+    return import_zod11.default.NEVER;
   }
 );
-var zCredentialIssuerMetadataDisplayEntry = import_zod9.default.object({
-  name: import_zod9.default.string().optional(),
-  locale: import_zod9.default.string().optional(),
-  logo: import_zod9.default.object({
+var zCredentialIssuerMetadataDisplayEntry = import_zod11.default.object({
+  name: import_zod11.default.string().optional(),
+  locale: import_zod11.default.string().optional(),
+  logo: import_zod11.default.object({
     // FIXME: make required again, but need to support draft 11 first
-    uri: import_zod9.default.string().optional(),
-    alt_text: import_zod9.default.string().optional()
+    uri: import_zod11.default.string().optional(),
+    alt_text: import_zod11.default.string().optional()
   }).passthrough().optional()
 }).passthrough();
-var zCredentialIssuerMetadataDraft14 = import_zod9.default.object({
+var zCredentialIssuerMetadataDraft14Draft15 = import_zod11.default.object({
   credential_issuer: import_utils2.zHttpsUrl,
-  authorization_servers: import_zod9.default.array(import_utils2.zHttpsUrl).optional(),
+  authorization_servers: import_zod11.default.array(import_utils2.zHttpsUrl).optional(),
   credential_endpoint: import_utils2.zHttpsUrl,
   deferred_credential_endpoint: import_utils2.zHttpsUrl.optional(),
   notification_endpoint: import_utils2.zHttpsUrl.optional(),
   // Added after draft 14, but needed for proper
   nonce_endpoint: import_utils2.zHttpsUrl.optional(),
-  credential_response_encryption: import_zod9.default.object({
-    alg_values_supported: import_zod9.default.array(import_zod9.default.string()),
-    enc_values_supported: import_zod9.default.array(import_zod9.default.string()),
-    encryption_required: import_zod9.default.boolean()
+  credential_response_encryption: import_zod11.default.object({
+    alg_values_supported: import_zod11.default.array(import_zod11.default.string()),
+    enc_values_supported: import_zod11.default.array(import_zod11.default.string()),
+    encryption_required: import_zod11.default.boolean()
   }).passthrough().optional(),
-  batch_credential_issuance: import_zod9.default.object({
-    batch_size: import_zod9.default.number().positive()
+  batch_credential_issuance: import_zod11.default.object({
+    batch_size: import_zod11.default.number().positive()
   }).passthrough().optional(),
   signed_metadata: import_oauth22.zCompactJwt.optional(),
-  display: import_zod9.default.array(zCredentialIssuerMetadataDisplayEntry).optional(),
-  credential_configurations_supported: import_zod9.default.record(import_zod9.default.string(), zCredentialConfigurationSupportedWithFormats)
+  display: import_zod11.default.array(zCredentialIssuerMetadataDisplayEntry).optional(),
+  credential_configurations_supported: import_zod11.default.record(import_zod11.default.string(), zCredentialConfigurationSupportedWithFormats)
 }).passthrough();
-var zCredentialConfigurationSupportedDraft11To14 = import_zod9.default.object({
-  id: import_zod9.default.string().optional(),
-  format: import_zod9.default.string(),
-  cryptographic_suites_supported: import_zod9.default.array(import_zod9.default.string()).optional(),
-  display: import_zod9.default.array(
-    import_zod9.default.object({
-      logo: import_zod9.default.object({
-        url: import_zod9.default.string().url().optional()
+var zCredentialConfigurationSupportedDraft11To14 = import_zod11.default.object({
+  id: import_zod11.default.string().optional(),
+  format: import_zod11.default.string(),
+  cryptographic_suites_supported: import_zod11.default.array(import_zod11.default.string()).optional(),
+  display: import_zod11.default.array(
+    import_zod11.default.object({
+      logo: import_zod11.default.object({
+        url: import_zod11.default.string().url().optional()
       }).passthrough().optional(),
-      background_image: import_zod9.default.object({
-        url: import_zod9.default.string().url().optional()
+      background_image: import_zod11.default.object({
+        url: import_zod11.default.string().url().optional()
       }).passthrough().optional()
     }).passthrough()
   ).optional()
@@ -492,11 +570,11 @@ var zCredentialConfigurationSupportedDraft11To14 = import_zod9.default.object({
   for (const issue of result.error.issues) {
     ctx.addIssue(issue);
   }
-  return import_zod9.default.NEVER;
+  return import_zod11.default.NEVER;
 }).pipe(zCredentialConfigurationSupportedWithFormats);
 var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSupportedWithFormats.and(
-  import_zod9.default.object({
-    id: import_zod9.default.string()
+  import_zod11.default.object({
+    id: import_zod11.default.string()
   }).passthrough()
 ).transform(({ id, credential_signing_alg_values_supported, display, proof_types_supported, scope, ...rest }) => ({
   ...rest,
@@ -516,15 +594,15 @@ var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSuppo
   } : {},
   id
 })).pipe(
-  import_zod9.default.union([
+  import_zod11.default.union([
     zLdpVcCredentialIssuerMetadataDraft14To11,
     zJwtVcJsonCredentialIssuerMetadataDraft14To11,
     zJwtVcJsonLdCredentialIssuerMetadataDraft14To11,
     // To handle unrecognized formats and not error immediately we allow the common format as well
     // but they can't use any of the foramt identifiers that have a specific transformation. This way if a format is
     // has a transformation it NEEDS to use the format specific transformation, and otherwise we fall back to the common validation
-    import_zod9.default.object({
-      format: import_zod9.default.string().refine(
+    import_zod11.default.object({
+      format: import_zod11.default.string().refine(
         (input) => ![
           zLdpVcFormatIdentifier.value,
           zJwtVcJsonFormatIdentifier.value,
@@ -534,11 +612,11 @@ var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSuppo
     }).passthrough()
   ])
 );
-var zCredentialIssuerMetadataDraft11To14 = import_zod9.default.object({
-  authorization_server: import_zod9.default.string().optional(),
-  credentials_supported: import_zod9.default.array(
-    import_zod9.default.object({
-      id: import_zod9.default.string().optional()
+var zCredentialIssuerMetadataDraft11To14 = import_zod11.default.object({
+  authorization_server: import_zod11.default.string().optional(),
+  credentials_supported: import_zod11.default.array(
+    import_zod11.default.object({
+      id: import_zod11.default.string().optional()
     }).passthrough()
   )
 }).passthrough().transform(({ authorization_server, credentials_supported, ...rest }) => {
@@ -551,12 +629,12 @@ var zCredentialIssuerMetadataDraft11To14 = import_zod9.default.object({
     )
   };
 }).pipe(
-  import_zod9.default.object({
+  import_zod11.default.object({
     // Update from v11 structrue to v14 structure
-    credential_configurations_supported: import_zod9.default.record(import_zod9.default.string(), zCredentialConfigurationSupportedDraft11To14)
+    credential_configurations_supported: import_zod11.default.record(import_zod11.default.string(), zCredentialConfigurationSupportedDraft11To14)
   }).passthrough()
-).pipe(zCredentialIssuerMetadataDraft14);
-var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14.transform((issuerMetadata) => ({
+).pipe(zCredentialIssuerMetadataDraft14Draft15);
+var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15.transform((issuerMetadata) => ({
   ...issuerMetadata,
   ...issuerMetadata.authorization_servers ? { authorization_server: issuerMetadata.authorization_servers[0] } : {},
   credentials_supported: Object.entries(issuerMetadata.credential_configurations_supported).map(([id, value]) => ({
@@ -564,22 +642,35 @@ var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14.tran
     id
   }))
 })).pipe(
-  zCredentialIssuerMetadataDraft14.extend({
-    credentials_supported: import_zod9.default.array(zCredentialConfigurationSupportedDraft14To11)
+  zCredentialIssuerMetadataDraft14Draft15.extend({
+    credentials_supported: import_zod11.default.array(zCredentialConfigurationSupportedDraft14To11)
   })
 );
-var zCredentialIssuerMetadata = import_zod9.default.union([
-  // First prioritize draft 14 (and 13)
-  zCredentialIssuerMetadataDraft14,
+var zCredentialIssuerMetadata = import_zod11.default.union([
+  // First prioritize draft 15/14 (and 13)
+  zCredentialIssuerMetadataDraft14Draft15,
   // Then try parsing draft 11 and transform into draft 14
   zCredentialIssuerMetadataDraft11To14
 ]);
-var zCredentialIssuerMetadataWithDraftVersion = import_zod9.default.union([
-  // First prioritize draft 14 (and 13)
-  zCredentialIssuerMetadataDraft14.transform((credentialIssuerMetadata) => ({
-    credentialIssuerMetadata,
-    originalDraftVersion: "Draft14" /* Draft14 */
-  })),
+var zCredentialIssuerMetadataWithDraftVersion = import_zod11.default.union([
+  zCredentialIssuerMetadataDraft14Draft15.transform((credentialIssuerMetadata) => {
+    const isDraft15 = Object.values(credentialIssuerMetadata.credential_configurations_supported).some(
+      (configuration) => {
+        const knownConfiguration = configuration;
+        if (knownConfiguration.format === zSdJwtDcFormatIdentifier.value) return true;
+        if (Array.isArray(knownConfiguration.claims)) return true;
+        if (Object.values(knownConfiguration.proof_types_supported ?? {}).some(
+          (proofType) => proofType.key_attestations_required !== void 0
+        ))
+          return true;
+        return false;
+      }
+    );
+    return {
+      credentialIssuerMetadata,
+      originalDraftVersion: isDraft15 ? "Draft15" /* Draft15 */ : "Draft14" /* Draft14 */
+    };
+  }),
   // Then try parsing draft 11 and transform into draft 14
   zCredentialIssuerMetadataDraft11To14.transform((credentialIssuerMetadata) => ({
     credentialIssuerMetadata,
@@ -606,6 +697,15 @@ function extractKnownCredentialConfigurationSupportedFormats(credentialConfigura
     )
   );
 }
+function getCredentialConfigurationSupportedById(credentialConfigurations, credentialConfigurationId) {
+  const configuration = credentialConfigurations[credentialConfigurationId];
+  if (!configuration) {
+    throw new import_oauth23.Oauth2Error(
+      `Credential configuration with id '${credentialConfigurationId}' not found in credential configurations supported.`
+    );
+  }
+  return configuration;
+}
 // src/credential-request/credential-request-configurations.ts
 function getCredentialConfigurationsMatchingRequestFormat({
@@ -717,41 +817,41 @@ var import_utils7 = require("@openid4vc/utils");
 // src/credential-offer/z-credential-offer.ts
 var import_oauth25 = require("@openid4vc/oauth2");
 var import_utils6 = require("@openid4vc/utils");
-var import_zod10 = __toESM(require("zod"));
-var zTxCode = import_zod10.default.object({
-  input_mode: import_zod10.default.union([import_zod10.default.literal("numeric"), import_zod10.default.literal("text")]).optional(),
-  length: import_zod10.default.number().int().optional(),
-  description: import_zod10.default.string().max(300).optional()
+var import_zod12 = __toESM(require("zod"));
+var zTxCode = import_zod12.default.object({
+  input_mode: import_zod12.default.union([import_zod12.default.literal("numeric"), import_zod12.default.literal("text")]).optional(),
+  length: import_zod12.default.number().int().optional(),
+  description: import_zod12.default.string().max(300).optional()
 }).passthrough();
-var zCredentialOfferGrants = import_zod10.default.object({
-  authorization_code: import_zod10.default.object({
-    issuer_state: import_zod10.default.string().optional(),
+var zCredentialOfferGrants = import_zod12.default.object({
+  authorization_code: import_zod12.default.object({
+    issuer_state: import_zod12.default.string().optional(),
     authorization_server: import_utils6.zHttpsUrl.optional()
   }).passthrough().optional(),
-  [import_oauth25.preAuthorizedCodeGrantIdentifier]: import_zod10.default.object({
-    "pre-authorized_code": import_zod10.default.string(),
+  [import_oauth25.preAuthorizedCodeGrantIdentifier]: import_zod12.default.object({
+    "pre-authorized_code": import_zod12.default.string(),
     tx_code: zTxCode.optional(),
     authorization_server: import_utils6.zHttpsUrl.optional()
   }).passthrough().optional()
 }).passthrough();
-var zCredentialOfferObjectDraft14 = import_zod10.default.object({
+var zCredentialOfferObjectDraft14 = import_zod12.default.object({
   credential_issuer: import_utils6.zHttpsUrl,
-  credential_configuration_ids: import_zod10.default.array(import_zod10.default.string()),
-  grants: import_zod10.default.optional(zCredentialOfferGrants)
+  credential_configuration_ids: import_zod12.default.array(import_zod12.default.string()),
+  grants: import_zod12.default.optional(zCredentialOfferGrants)
 }).passthrough();
-var zCredentialOfferObjectDraft11To14 = import_zod10.default.object({
+var zCredentialOfferObjectDraft11To14 = import_zod12.default.object({
   credential_issuer: import_utils6.zHttpsUrl,
   // We don't support the inline offer objects from draft 11
-  credentials: import_zod10.default.array(
-    import_zod10.default.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })
+  credentials: import_zod12.default.array(
+    import_zod12.default.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })
   ),
-  grants: import_zod10.default.optional(
-    import_zod10.default.object({
+  grants: import_zod12.default.optional(
+    import_zod12.default.object({
       // Has extra param in draft 14, but doesn't matter for transform purposes
       authorization_code: zCredentialOfferGrants.shape.authorization_code,
-      [import_oauth25.preAuthorizedCodeGrantIdentifier]: import_zod10.default.object({
-        "pre-authorized_code": import_zod10.default.string(),
-        user_pin_required: import_zod10.default.optional(import_zod10.default.boolean())
+      [import_oauth25.preAuthorizedCodeGrantIdentifier]: import_zod12.default.object({
+        "pre-authorized_code": import_zod12.default.string(),
+        user_pin_required: import_zod12.default.optional(import_zod12.default.boolean())
       }).passthrough().optional()
     })
   )
@@ -776,7 +876,7 @@ var zCredentialOfferObjectDraft11To14 = import_zod10.default.object({
   }
   return v14;
 }).pipe(zCredentialOfferObjectDraft14);
-var zCredentialOfferObject = import_zod10.default.union([
+var zCredentialOfferObject = import_zod12.default.union([
   // First prioritize draft 14 (and 13)
   zCredentialOfferObjectDraft14,
   // Then try parsing draft 11 and transform into draft 14
@@ -915,25 +1015,23 @@ async function createCredentialOffer(options) {
 // src/credential-request/format-payload.ts
 var import_utils8 = require("@openid4vc/utils");
 function getCredentialRequestFormatPayloadForCredentialConfigurationId(options) {
-  const credentialConfiguration = options.issuerMetadata.credentialIssuer.credential_configurations_supported[options.credentialConfigurationId];
-  if (!credentialConfiguration) {
-    throw new Openid4vciError(
-      `Could not find credential configuration with id '${options.credentialConfigurationId}' in metadata of credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'.`
-    );
-  }
-  if ((0, import_utils8.zIs)(zSdJwtVcCredentialIssuerMetadata, credentialConfiguration)) {
+  const credentialConfiguration = getCredentialConfigurationSupportedById(
+    options.issuerMetadata.credentialIssuer.credential_configurations_supported,
+    options.credentialConfigurationId
+  );
+  if ((0, import_utils8.zIs)(zSdJwtVcCredentialIssuerMetadataDraft14, credentialConfiguration)) {
     return {
       format: credentialConfiguration.format,
       vct: credentialConfiguration.vct
     };
   }
-  if ((0, import_utils8.zIs)(zMsoMdocCredentialIssuerMetadata, credentialConfiguration)) {
+  if ((0, import_utils8.zIs)(zMsoMdocCredentialIssuerMetadata, credentialConfiguration) || (0, import_utils8.zIs)(zMsoMdocCredentialIssuerMetadataDraft14, credentialConfiguration)) {
     return {
       format: credentialConfiguration.format,
       doctype: credentialConfiguration.doctype
     };
   }
-  if ((0, import_utils8.zIs)(zLdpVcCredentialIssuerMetadata, credentialConfiguration)) {
+  if ((0, import_utils8.zIs)(zLdpVcCredentialIssuerMetadata, credentialConfiguration) || (0, import_utils8.zIs)(zLdpVcCredentialIssuerMetadataDraft14, credentialConfiguration)) {
     return {
       format: credentialConfiguration.format,
       credential_definition: {
@@ -942,7 +1040,7 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
       }
     };
   }
-  if ((0, import_utils8.zIs)(zJwtVcJsonLdCredentialIssuerMetadata, credentialConfiguration)) {
+  if ((0, import_utils8.zIs)(zJwtVcJsonLdCredentialIssuerMetadata, credentialConfiguration) || (0, import_utils8.zIs)(zJwtVcJsonLdCredentialIssuerMetadataDraft14, credentialConfiguration)) {
     return {
       format: credentialConfiguration.format,
       credential_definition: {
@@ -951,7 +1049,7 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
       }
     };
   }
-  if ((0, import_utils8.zIs)(zJwtVcJsonCredentialIssuerMetadata, credentialConfiguration)) {
+  if ((0, import_utils8.zIs)(zJwtVcJsonCredentialIssuerMetadata, credentialConfiguration) || (0, import_utils8.zIs)(zJwtVcJsonCredentialIssuerMetadataDraft14, credentialConfiguration)) {
     return {
       format: credentialConfiguration.format,
       credential_definition: {
@@ -959,6 +1057,11 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
       }
     };
   }
+  if ((0, import_utils8.zIs)(zSdJwtDcCredentialIssuerMetadata, credentialConfiguration)) {
+    throw new Openid4vciError(
+      `Credential configuration id '${options.credentialConfigurationId}' with format ${zSdJwtVcFormatIdentifier.value} does not support credential request based on 'format'. Use 'credential_configuration_id' directly.`
+    );
+  }
   throw new Openid4vciError(
     `Unknown format '${credentialConfiguration.format}' in credential configuration with id '${options.credentialConfigurationId}' for credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
   );
@@ -969,33 +1072,33 @@ var import_oauth210 = require("@openid4vc/oauth2");
 var import_utils10 = require("@openid4vc/utils");
 // src/credential-request/z-credential-request.ts
-var import_zod14 = __toESM(require("zod"));
+var import_zod16 = __toESM(require("zod"));
 // src/credential-request/z-credential-request-common.ts
 var import_oauth29 = require("@openid4vc/oauth2");
-var import_zod13 = __toESM(require("zod"));
+var import_zod15 = __toESM(require("zod"));
 // src/formats/proof-type/jwt/z-jwt-proof-type.ts
 var import_oauth27 = require("@openid4vc/oauth2");
 var import_utils9 = require("@openid4vc/utils");
-var import_zod11 = __toESM(require("zod"));
-var zJwtProofTypeIdentifier = import_zod11.default.literal("jwt");
+var import_zod13 = __toESM(require("zod"));
+var zJwtProofTypeIdentifier = import_zod13.default.literal("jwt");
 var jwtProofTypeIdentifier = zJwtProofTypeIdentifier.value;
-var zCredentialRequestProofJwt = import_zod11.default.object({
+var zCredentialRequestProofJwt = import_zod13.default.object({
   proof_type: zJwtProofTypeIdentifier,
   jwt: import_oauth27.zCompactJwt
 });
 var zCredentialRequestJwtProofTypeHeader = import_oauth27.zJwtHeader.merge(
-  import_zod11.default.object({
-    key_attestation: import_zod11.default.optional(import_oauth27.zCompactJwt),
-    typ: import_zod11.default.literal("openid4vci-proof+jwt")
+  import_zod13.default.object({
+    key_attestation: import_zod13.default.optional(import_oauth27.zCompactJwt),
+    typ: import_zod13.default.literal("openid4vci-proof+jwt")
   })
 ).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
   message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
 }).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
   message: `When 'trust_chain' is provided, 'kid' is required`
 });
-var zCredentialRequestJwtProofTypePayload = import_zod11.default.object({
+var zCredentialRequestJwtProofTypePayload = import_zod13.default.object({
   ...import_oauth27.zJwtPayload.shape,
   aud: import_utils9.zHttpsUrl,
   iat: import_utils9.zInteger
@@ -1003,40 +1106,40 @@ var zCredentialRequestJwtProofTypePayload = import_zod11.default.object({
 // src/formats/proof-type/attestation/z-attestation-proof-type.ts
 var import_oauth28 = require("@openid4vc/oauth2");
-var import_zod12 = __toESM(require("zod"));
-var zAttestationProofTypeIdentifier = import_zod12.default.literal("attestation");
+var import_zod14 = __toESM(require("zod"));
+var zAttestationProofTypeIdentifier = import_zod14.default.literal("attestation");
 var attestationProofTypeIdentifier = zAttestationProofTypeIdentifier.value;
-var zCredentialRequestProofAttestation = import_zod12.default.object({
+var zCredentialRequestProofAttestation = import_zod14.default.object({
   proof_type: zAttestationProofTypeIdentifier,
   attestation: import_oauth28.zCompactJwt
 });
 var zCredentialRequestAttestationProofTypePayload = zKeyAttestationJwtPayloadForUse("proof_type.attestation");
 // src/credential-request/z-credential-request-common.ts
-var zCredentialRequestProofCommon = import_zod13.default.object({
-  proof_type: import_zod13.default.string()
+var zCredentialRequestProofCommon = import_zod15.default.object({
+  proof_type: import_zod15.default.string()
 }).passthrough();
 var allCredentialRequestProofs = [zCredentialRequestProofJwt, zCredentialRequestProofAttestation];
-var zCredentialRequestProof = import_zod13.default.union([
+var zCredentialRequestProof = import_zod15.default.union([
   zCredentialRequestProofCommon,
-  import_zod13.default.discriminatedUnion("proof_type", allCredentialRequestProofs)
+  import_zod15.default.discriminatedUnion("proof_type", allCredentialRequestProofs)
 ]);
-var zCredentialRequestProofsCommon = import_zod13.default.record(import_zod13.default.string(), import_zod13.default.array(import_zod13.default.unknown()));
-var zCredentialRequestProofs = import_zod13.default.object({
-  [zJwtProofTypeIdentifier.value]: import_zod13.default.optional(import_zod13.default.array(zCredentialRequestProofJwt.shape.jwt)),
-  [zAttestationProofTypeIdentifier.value]: import_zod13.default.optional(import_zod13.default.array(zCredentialRequestProofAttestation.shape.attestation))
+var zCredentialRequestProofsCommon = import_zod15.default.record(import_zod15.default.string(), import_zod15.default.array(import_zod15.default.unknown()));
+var zCredentialRequestProofs = import_zod15.default.object({
+  [zJwtProofTypeIdentifier.value]: import_zod15.default.optional(import_zod15.default.array(zCredentialRequestProofJwt.shape.jwt)),
+  [zAttestationProofTypeIdentifier.value]: import_zod15.default.optional(import_zod15.default.array(zCredentialRequestProofAttestation.shape.attestation))
 });
-var zCredentialRequestCommon = import_zod13.default.object({
+var zCredentialRequestCommon = import_zod15.default.object({
   proof: zCredentialRequestProof.optional(),
-  proofs: import_zod13.default.optional(
-    import_zod13.default.intersection(zCredentialRequestProofsCommon, zCredentialRequestProofs).refine((proofs) => Object.values(proofs).length === 1, {
+  proofs: import_zod15.default.optional(
+    import_zod15.default.intersection(zCredentialRequestProofsCommon, zCredentialRequestProofs).refine((proofs) => Object.values(proofs).length === 1, {
       message: `The 'proofs' object in a credential request should contain exactly one attribute`
     })
   ),
-  credential_response_encryption: import_zod13.default.object({
+  credential_response_encryption: import_zod15.default.object({
     jwk: import_oauth29.zJwk,
-    alg: import_zod13.default.string(),
-    enc: import_zod13.default.string()
+    alg: import_zod15.default.string(),
+    enc: import_zod15.default.string()
   }).passthrough().optional()
 }).passthrough().refine(({ proof, proofs }) => !(proof !== void 0 && proofs !== void 0), {
   message: `Both 'proof' and 'proofs' are defined. Only one is allowed`
@@ -1044,40 +1147,54 @@ var zCredentialRequestCommon = import_zod13.default.object({
 // src/credential-request/z-credential-request.ts
 var allCredentialRequestFormats = [
-  zSdJwtVcCredentialRequestFormat,
-  zMsoMdocCredentialRequestFormat,
-  zLdpVcCredentialRequestFormat,
-  zJwtVcJsonLdCredentialRequestFormat,
-  zJwtVcJsonCredentialRequestFormat
+  zSdJwtVcCredentialRequestFormatDraft14,
+  zMsoMdocCredentialRequestFormatDraft14,
+  zLdpVcCredentialRequestFormatDraft14,
+  zJwtVcJsonLdCredentialRequestFormatDraft14,
+  zJwtVcJsonCredentialRequestFormatDraft14
 ];
 var allCredentialRequestFormatIdentifiers = allCredentialRequestFormats.map(
   (format) => format.shape.format.value
 );
-var zAuthorizationDetailsCredentialRequest = import_zod14.default.object({
-  credential_identifier: import_zod14.default.string(),
+var zCredentialRequestCredentialConfigurationId = import_zod16.default.object({
+  credential_configuration_id: import_zod16.default.string(),
+  format: import_zod16.default.never({ message: "'format' cannot be defined when 'credential_configuration_id' is set." }).optional(),
+  credential_identifier: import_zod16.default.never({ message: "'credential_identifier' cannot be defined when 'credential_configuration_id' is set." }).optional()
+});
+var zAuthorizationDetailsCredentialRequest = import_zod16.default.object({
+  credential_identifier: import_zod16.default.string(),
+  credential_configuration_id: import_zod16.default.never({ message: "'credential_configuration_id' cannot be defined when 'credential_identifier' is set." }).optional(),
   // Cannot be present if credential identifier is present
-  format: import_zod14.default.never({ message: "'format' cannot be defined when 'credential_identifier' is set." }).optional()
+  format: import_zod16.default.never({ message: "'format' cannot be defined when 'credential_identifier' is set." }).optional()
 });
-var zCredentialRequestFormatNoCredentialIdentifier = import_zod14.default.object({
-  format: import_zod14.default.string(),
-  credential_identifier: import_zod14.default.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional()
+var zCredentialRequestFormat = import_zod16.default.object({
+  format: import_zod16.default.string(),
+  credential_identifier: import_zod16.default.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional(),
+  credential_configuration_id: import_zod16.default.never({ message: "'credential_configuration_id' cannot be defined when 'format' is set." }).optional()
 }).passthrough();
-var zCredenialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormatNoCredentialIdentifier).transform((data, ctx) => {
-  if (!allCredentialRequestFormatIdentifiers.includes(data.format)) return data;
-  const result = import_zod14.default.object({}).passthrough().and(import_zod14.default.discriminatedUnion("format", allCredentialRequestFormats)).safeParse(data);
+var zCredenialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
+  if (!allCredentialRequestFormatIdentifiers.includes(
+    data.format
+  ))
+    return data;
+  const result = import_zod16.default.object({}).passthrough().and(import_zod16.default.discriminatedUnion("format", allCredentialRequestFormats)).safeParse(data);
   if (result.success) {
     return result.data;
   }
   for (const issue of result.error.issues) {
     ctx.addIssue(issue);
   }
-  return import_zod14.default.NEVER;
+  return import_zod16.default.NEVER;
 });
-var zCredentialRequestDraft14 = import_zod14.default.union([
+var zCredentialRequestDraft15 = import_zod16.default.union([
+  zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest),
+  zCredentialRequestCommon.and(zCredentialRequestCredentialConfigurationId)
+]);
+var zCredentialRequestDraft14 = import_zod16.default.union([
   zCredenialRequestDraft14WithFormat,
   zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest)
 ]);
-var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequestFormatNoCredentialIdentifier).transform((data, ctx) => {
+var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
   const formatSpecificTransformations = {
     [zLdpVcFormatIdentifier.value]: zLdpVcCredentialRequestDraft11To14,
     [zJwtVcJsonFormatIdentifier.value]: zJwtVcJsonCredentialRequestDraft11To14,
@@ -1090,7 +1207,7 @@ var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequ
   for (const issue of result.error.issues) {
     ctx.addIssue(issue);
   }
-  return import_zod14.default.NEVER;
+  return import_zod16.default.NEVER;
 }).pipe(zCredentialRequestDraft14);
 var zCredentialRequestDraft14To11 = zCredentialRequestDraft14.refine(
   (data) => data.credential_identifier === void 0,
@@ -1108,15 +1225,19 @@ var zCredentialRequestDraft14To11 = zCredentialRequestDraft14.refine(
   for (const issue of result.error.issues) {
     ctx.addIssue(issue);
   }
-  return import_zod14.default.NEVER;
+  return import_zod16.default.NEVER;
 });
-var zCredentialRequest = import_zod14.default.union([zCredentialRequestDraft14, zCredentialRequestDraft11To14]);
+var zCredentialRequest = import_zod16.default.union([
+  zCredentialRequestDraft15,
+  zCredentialRequestDraft14,
+  zCredentialRequestDraft11To14
+]);
 // src/credential-request/z-credential-response.ts
-var import_zod16 = __toESM(require("zod"));
+var import_zod18 = __toESM(require("zod"));
 // ../oauth2/src/common/z-oauth2-error.ts
-var import_zod15 = __toESM(require("zod"));
+var import_zod17 = __toESM(require("zod"));
 var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes4) => {
   Oauth2ErrorCodes4["ServerError"] = "server_error";
   Oauth2ErrorCodes4["InvalidTarget"] = "invalid_target";
@@ -1153,21 +1274,21 @@ var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes4) => {
   Oauth2ErrorCodes4["WalletUnavailable"] = "wallet_unavailable";
   return Oauth2ErrorCodes4;
 })(Oauth2ErrorCodes || {});
-var zOauth2ErrorResponse = import_zod15.default.object({
-  error: import_zod15.default.union([import_zod15.default.nativeEnum(Oauth2ErrorCodes), import_zod15.default.string()]),
-  error_description: import_zod15.default.string().optional(),
-  error_uri: import_zod15.default.string().optional()
+var zOauth2ErrorResponse = import_zod17.default.object({
+  error: import_zod17.default.union([import_zod17.default.nativeEnum(Oauth2ErrorCodes), import_zod17.default.string()]),
+  error_description: import_zod17.default.string().optional(),
+  error_uri: import_zod17.default.string().optional()
 }).passthrough();
 // src/credential-request/z-credential-response.ts
-var zCredentialEncoding = import_zod16.default.union([import_zod16.default.string(), import_zod16.default.record(import_zod16.default.string(), import_zod16.default.any())]);
-var zCredentialResponse = import_zod16.default.object({
-  credential: import_zod16.default.optional(zCredentialEncoding),
-  credentials: import_zod16.default.optional(import_zod16.default.array(zCredentialEncoding)),
-  transaction_id: import_zod16.default.string().optional(),
-  c_nonce: import_zod16.default.string().optional(),
-  c_nonce_expires_in: import_zod16.default.number().int().optional(),
-  notification_id: import_zod16.default.string().optional()
+var zCredentialEncoding = import_zod18.default.union([import_zod18.default.string(), import_zod18.default.record(import_zod18.default.string(), import_zod18.default.any())]);
+var zCredentialResponse = import_zod18.default.object({
+  credential: import_zod18.default.optional(zCredentialEncoding),
+  credentials: import_zod18.default.optional(import_zod18.default.array(zCredentialEncoding)),
+  transaction_id: import_zod18.default.string().optional(),
+  c_nonce: import_zod18.default.string().optional(),
+  c_nonce_expires_in: import_zod18.default.number().int().optional(),
+  notification_id: import_zod18.default.string().optional()
 }).passthrough().refine(
   (value) => {
     const { credential, credentials, transaction_id } = value;
@@ -1177,14 +1298,43 @@ var zCredentialResponse = import_zod16.default.object({
     message: `Exactly one of 'credential', 'credentials', or 'transaction_id' MUST be defined.`
   }
 );
-var zCredentialErrorResponse = import_zod16.default.object({
+var zCredentialErrorResponse = import_zod18.default.object({
   ...zOauth2ErrorResponse.shape,
-  c_nonce: import_zod16.default.string().optional(),
-  c_nonce_expires_in: import_zod16.default.number().int().optional()
+  c_nonce: import_zod18.default.string().optional(),
+  c_nonce_expires_in: import_zod18.default.number().int().optional()
 }).passthrough();
 // src/credential-request/retrieve-credentials.ts
+async function retrieveCredentialsWithCredentialConfigurationId(options) {
+  if (options.issuerMetadata.originalDraftVersion !== "Draft15" /* Draft15 */) {
+    throw new Openid4vciError(
+      "Requesting credentials based on format is not supported in OpenID4VCI below draft 15. Make sure to provide the format and format specific claims in the request."
+    );
+  }
+  getCredentialConfigurationSupportedById(
+    options.issuerMetadata.credentialIssuer.credential_configurations_supported,
+    options.credentialConfigurationId
+  );
+  const credentialRequest = {
+    ...options.additionalRequestPayload,
+    credential_configuration_id: options.credentialConfigurationId,
+    proof: options.proof,
+    proofs: options.proofs
+  };
+  return retrieveCredentials({
+    callbacks: options.callbacks,
+    credentialRequest,
+    issuerMetadata: options.issuerMetadata,
+    accessToken: options.accessToken,
+    dpop: options.dpop
+  });
+}
 async function retrieveCredentialsWithFormat(options) {
+  if (options.issuerMetadata.originalDraftVersion === "Draft15" /* Draft15 */) {
+    throw new Openid4vciError(
+      "Requesting credentials based on format is not supported in OpenID4VCI draft 15. Provide the credential configuration id directly in the request."
+    );
+  }
   const credentialRequest = {
     ...options.formatPayload,
     ...options.additionalRequestPayload,
@@ -1270,6 +1420,24 @@ var import_utils12 = require("@openid4vc/utils");
 var import_oauth211 = require("@openid4vc/oauth2");
 var import_oauth212 = require("@openid4vc/oauth2");
 var import_utils11 = require("@openid4vc/utils");
+async function createKeyAttestationJwt(options) {
+  const header = (0, import_utils11.parseWithErrorHandling)(zKeyAttestationJwtHeader, {
+    ...(0, import_oauth211.jwtHeaderFromJwtSigner)(options.signer),
+    typ: "keyattestation+jwt"
+  });
+  const payload = (0, import_utils11.parseWithErrorHandling)(zKeyAttestationJwtPayloadForUse(options.use), {
+    iat: (0, import_utils11.dateToSeconds)(options.issuedAt),
+    exp: options.expiresAt ? (0, import_utils11.dateToSeconds)(options.expiresAt) : void 0,
+    nonce: options.nonce,
+    attested_keys: options.attestedKeys,
+    user_authentication: options.userAuthentication,
+    key_storage: options.keyStorage,
+    certification: options.certification,
+    ...options.additionalPayload
+  });
+  const { jwt } = await options.callbacks.signJwt(options.signer, { header, payload });
+  return jwt;
+}
 async function verifyKeyAttestationJwt(options) {
   const { header, payload } = (0, import_oauth211.decodeJwt)({
     jwt: options.keyAttestationJwt,
@@ -1425,10 +1593,10 @@ var import_utils15 = require("@openid4vc/utils");
 // src/nonce/z-nonce.ts
 var import_utils14 = require("@openid4vc/utils");
-var import_zod17 = __toESM(require("zod"));
-var zNonceResponse = import_zod17.default.object({
-  c_nonce: import_zod17.default.string(),
-  c_nonce_expires_in: import_zod17.default.optional(import_utils14.zInteger)
+var import_zod19 = __toESM(require("zod"));
+var zNonceResponse = import_zod19.default.object({
+  c_nonce: import_zod19.default.string(),
+  c_nonce_expires_in: import_zod19.default.optional(import_utils14.zInteger)
 }).passthrough();
 // src/nonce/nonce-request.ts
@@ -1468,15 +1636,15 @@ var import_oauth217 = require("@openid4vc/oauth2");
 var import_utils16 = require("@openid4vc/utils");
 // src/notification/z-notification.ts
-var import_zod18 = __toESM(require("zod"));
-var zNotificationEvent = import_zod18.default.enum(["credential_accepted", "credential_failure", "credential_deleted"]);
-var zNotificationRequest = import_zod18.default.object({
-  notification_id: import_zod18.default.string(),
+var import_zod20 = __toESM(require("zod"));
+var zNotificationEvent = import_zod20.default.enum(["credential_accepted", "credential_failure", "credential_deleted"]);
+var zNotificationRequest = import_zod20.default.object({
+  notification_id: import_zod20.default.string(),
   event: zNotificationEvent,
-  event_description: import_zod18.default.optional(import_zod18.default.string())
+  event_description: import_zod20.default.optional(import_zod20.default.string())
 }).passthrough();
-var zNotificationErrorResponse = import_zod18.default.object({
-  error: import_zod18.default.enum(["invalid_notification_id", "invalid_notification_request"])
+var zNotificationErrorResponse = import_zod20.default.object({
+  error: import_zod20.default.enum(["invalid_notification_id", "invalid_notification_request"])
 }).passthrough();
 // src/notification/notification.ts
@@ -1619,7 +1787,6 @@ var Openid4vciClient = class {
           issuer_state: options.credentialOffer?.grants?.authorization_code?.issuer_state
         },
         dpop: options.dpop,
-        clientAttestation: options.clientAttestation,
         resource: options.issuerMetadata.credentialIssuer.credential_issuer,
         authorizationServerMetadata
       });
@@ -1673,7 +1840,6 @@ var Openid4vciClient = class {
       redirectUri: options.redirectUri,
       scope: options.scope,
       pkceCodeVerifier: options.pkceCodeVerifier,
-      clientAttestation: options.clientAttestation,
       dpop: options.dpop
     });
     return {
@@ -1692,8 +1858,7 @@ var Openid4vciClient = class {
     issuerMetadata,
     additionalRequestPayload,
     txCode,
-    dpop,
-    clientAttestation
+    dpop
   }) {
     if (!credentialOffer.grants?.[import_oauth218.preAuthorizedCodeGrantIdentifier]) {
       throw new import_oauth218.Oauth2Error(`The credential offer does not contain the '${import_oauth218.preAuthorizedCodeGrantIdentifier}' grant.`);
@@ -1718,8 +1883,7 @@ var Openid4vciClient = class {
       txCode,
       resource: issuerMetadata.credentialIssuer.credential_issuer,
       additionalRequestPayload,
-      dpop,
-      clientAttestation
+      dpop
     });
     return {
       ...result,
@@ -1737,8 +1901,7 @@ var Openid4vciClient = class {
     authorizationCode,
     pkceCodeVerifier,
     redirectUri,
-    dpop,
-    clientAttestation
+    dpop
   }) {
     if (!credentialOffer.grants?.[import_oauth218.authorizationCodeGrantIdentifier]) {
       throw new import_oauth218.Oauth2Error(`The credential offer does not contain the '${import_oauth218.authorizationCodeGrantIdentifier}' grant.`);
@@ -1757,7 +1920,6 @@ var Openid4vciClient = class {
       pkceCodeVerifier,
       additionalRequestPayload,
       dpop,
-      clientAttestation,
       redirectUri,
       resource: issuerMetadata.credentialIssuer.credential_issuer
     });
@@ -1835,20 +1997,34 @@ var Openid4vciClient = class {
     accessToken,
     dpop
   }) {
-    const formatPayload = getCredentialRequestFormatPayloadForCredentialConfigurationId({
-      credentialConfigurationId,
-      issuerMetadata
-    });
-    const credentialResponse = await retrieveCredentialsWithFormat({
-      accessToken,
-      formatPayload,
-      issuerMetadata,
-      additionalRequestPayload,
-      proof,
-      proofs,
-      callbacks: this.options.callbacks,
-      dpop
-    });
+    let credentialResponse;
+    if (issuerMetadata.originalDraftVersion === "Draft15" /* Draft15 */) {
+      credentialResponse = await retrieveCredentialsWithCredentialConfigurationId({
+        accessToken,
+        credentialConfigurationId,
+        issuerMetadata,
+        additionalRequestPayload,
+        proof,
+        proofs,
+        callbacks: this.options.callbacks,
+        dpop
+      });
+    } else {
+      const formatPayload = getCredentialRequestFormatPayloadForCredentialConfigurationId({
+        credentialConfigurationId,
+        issuerMetadata
+      });
+      credentialResponse = await retrieveCredentialsWithFormat({
+        accessToken,
+        formatPayload,
+        issuerMetadata,
+        additionalRequestPayload,
+        proof,
+        proofs,
+        callbacks: this.options.callbacks,
+        dpop
+      });
+    }
     if (!credentialResponse.ok) {
       throw new Openid4vciRetrieveCredentialsError(
         `Error retrieving credentials from '${issuerMetadata.credentialIssuer.credential_issuer}'`,
@@ -1910,7 +2086,7 @@ function createCredentialResponse(options) {
 // src/credential-request/parse-credential-request.ts
 var import_utils18 = require("@openid4vc/utils");
-var import_zod19 = __toESM(require("zod"));
+var import_zod21 = __toESM(require("zod"));
 function parseCredentialRequest(options) {
   const credentialRequest = (0, import_utils18.parseWithErrorHandling)(
     zCredentialRequest,
@@ -1922,12 +2098,27 @@ function parseCredentialRequest(options) {
   if (knownProofs.success) {
     proofs = knownProofs.data;
   }
-  const knownProof = import_zod19.default.union(allCredentialRequestProofs).safeParse(credentialRequest.proof);
+  const knownProof = import_zod21.default.union(allCredentialRequestProofs).safeParse(credentialRequest.proof);
   if (knownProof.success && knownProof.data.proof_type === jwtProofTypeIdentifier) {
     proofs = { [jwtProofTypeIdentifier]: [knownProof.data.jwt] };
   } else if (knownProof.success && knownProof.data.proof_type === attestationProofTypeIdentifier) {
     proofs = { [attestationProofTypeIdentifier]: [knownProof.data.attestation] };
   }
+  if (credentialRequest.credential_configuration_id) {
+    getCredentialConfigurationSupportedById(
+      options.issuerMetadata.credentialIssuer.credential_configurations_supported,
+      credentialRequest.credential_configuration_id
+    );
+    const credentialConfigurations = extractKnownCredentialConfigurationSupportedFormats(
+      options.issuerMetadata.credentialIssuer.credential_configurations_supported
+    );
+    return {
+      credentialConfiguration: credentialConfigurations[credentialRequest.credential_configuration_id],
+      credentialConfigurationId: credentialRequest.credential_configuration_id,
+      credentialRequest,
+      proofs
+    };
+  }
   if (credentialRequest.credential_identifier) {
     return {
       credentialIdentifier: credentialRequest.credential_identifier,
@@ -1935,11 +2126,13 @@ function parseCredentialRequest(options) {
       proofs
     };
   }
-  if (credentialRequest.format && allCredentialRequestFormatIdentifiers.includes(credentialRequest.format)) {
+  if (credentialRequest.format && allCredentialRequestFormatIdentifiers.includes(
+    credentialRequest.format
+  )) {
     return {
       // Removes all claims that are not specific to this format
       format: (0, import_utils18.parseWithErrorHandling)(
-        import_zod19.default.union(allCredentialRequestFormats),
+        import_zod21.default.union(allCredentialRequestFormats),
         credentialRequest,
         "Unable to validate format specific properties from credential request"
       ),
@@ -2091,6 +2284,40 @@ var Openid4vciIssuer = class {
   createNonceResponse(options) {
     return createNonceResponse(options);
   }
+  async verifyWalletAttestation(options) {
+    return new import_oauth219.Oauth2AuthorizationServer({
+      callbacks: this.options.callbacks
+    }).verifyClientAttestation(options);
+  }
+};
+// src/Openid4vciWalletProvider.ts
+var import_oauth220 = require("@openid4vc/oauth2");
+var Openid4vciWalletProvider = class {
+  constructor(options) {
+    this.options = options;
+  }
+  async createWalletAttestationJwt(options) {
+    const additionalPayload = options.additionalPayload ? {
+      wallet_name: options.walletName,
+      wallet_link: options.walletLink,
+      ...options.additionalPayload
+    } : {
+      wallet_name: options.walletName,
+      wallet_link: options.walletLink
+    };
+    return await (0, import_oauth220.createClientAttestationJwt)({
+      ...options,
+      callbacks: this.options.callbacks,
+      additionalPayload
+    });
+  }
+  async createKeyAttestationJwt(options) {
+    return await createKeyAttestationJwt({
+      callbacks: this.options.callbacks,
+      ...options
+    });
+  }
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
@@ -2101,6 +2328,7 @@ var Openid4vciIssuer = class {
   Openid4vciIssuer,
   Openid4vciRetrieveCredentialsError,
   Openid4vciSendNotificationError,
+  Openid4vciWalletProvider,
   credentialsSupportedToCredentialConfigurationsSupported,
   extractScopesForCredentialConfigurationIds,
   getCredentialConfigurationsMatchingRequestFormat,