@openid4vc/openid4vci 0.3.0-alpha-20250324183425 → 0.3.0-alpha-20250325212250

package/dist/index.mjs

@@ -11,117 +11,81 @@ import { joinUriParts } from "@openid4vc/utils";
 // src/metadata/credential-issuer/z-credential-issuer-metadata.ts
 import { zCompactJwt } from "@openid4vc/oauth2";
 import { zHttpsUrl } from "@openid4vc/utils";
-import z9 from "zod";
+import z11 from "zod";
 
 // src/formats/credential/mso-mdoc/z-mso-mdoc.ts
-import z3 from "zod";
-
-// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
 import z2 from "zod";
 
-// src/key-attestation/z-key-attestation.ts
-import { zJwk, zJwtHeader, zJwtPayload } from "@openid4vc/oauth2";
-import { zInteger } from "@openid4vc/utils";
+// src/metadata/credential-issuer/z-claims-description.ts
 import z from "zod";
-var zKeyAttestationJwtHeader = z.object({
-  ...zJwtHeader.shape,
-  typ: z.literal("keyattestation+jwt")
-}).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
-  message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
-}).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
-  message: `When 'trust_chain' is provided, 'kid' is required`
-});
-var zIso18045 = z.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
-var zIso18045OrStringArray = z.array(z.union([zIso18045, z.string()]));
-var zKeyAttestationJwtPayload = z.object({
-  ...zJwtPayload.shape,
-  iat: zInteger,
-  attested_keys: z.array(zJwk),
-  key_storage: z.optional(zIso18045OrStringArray),
-  user_authentication: z.optional(zIso18045OrStringArray),
-  certification: z.optional(z.string())
-}).passthrough();
-var zKeyAttestationJwtPayloadForUse = (use) => z.object({
-  ...zKeyAttestationJwtPayload.shape,
-  // REQUIRED when used as proof_type.attesation directly
-  nonce: use === "proof_type.attestation" ? z.string({
-    message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly`
-  }) : z.optional(z.string()),
-  // REQUIRED when used within header of proof_type.jwt
-  exp: use === "proof_type.jwt" ? zInteger : z.optional(zInteger)
-}).passthrough();
-
-// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
-var zCredentialConfigurationSupportedClaims = z2.object({
-  mandatory: z2.boolean().optional(),
-  value_type: z2.string().optional(),
-  display: z2.object({
-    name: z2.string().optional(),
-    locale: z2.string().optional()
+var zCredentialConfigurationSupportedClaimsDraft14 = z.object({
+  mandatory: z.boolean().optional(),
+  value_type: z.string().optional(),
+  display: z.object({
+    name: z.string().optional(),
+    locale: z.string().optional()
   }).passthrough().optional()
 }).passthrough();
-var zCredentialConfigurationSupportedCommon = z2.object({
-  format: z2.string(),
-  scope: z2.string().optional(),
-  cryptographic_binding_methods_supported: z2.array(z2.string()).optional(),
-  credential_signing_alg_values_supported: z2.array(z2.string()).optional(),
-  proof_types_supported: z2.record(
-    z2.union([z2.literal("jwt"), z2.literal("attestation"), z2.string()]),
-    z2.object({
-      proof_signing_alg_values_supported: z2.array(z2.string()),
-      key_attestations_required: z2.object({
-        key_storage: zIso18045OrStringArray.optional(),
-        user_authentication: zIso18045OrStringArray.optional()
-      }).passthrough().optional()
-    })
-  ).optional(),
-  display: z2.array(
-    z2.object({
-      name: z2.string(),
-      locale: z2.string().optional(),
-      logo: z2.object({
-        // FIXME: make required again, but need to support draft 11 first
-        uri: z2.string().optional(),
-        alt_text: z2.string().optional()
-      }).passthrough().optional(),
-      description: z2.string().optional(),
-      background_color: z2.string().optional(),
-      background_image: z2.object({
-        // TODO: should be required, but paradym's metadata is wrong here.
-        uri: z2.string().optional()
-      }).passthrough().optional(),
-      text_color: z2.string().optional()
+var zClaimsDescriptionPath = z.array(z.union([z.string(), z.number().int().nonnegative(), z.null()])).nonempty();
+var zMsoMdocClaimsDescriptionPath = z.tuple([z.string(), z.string()], {
+  message: "mso_mdoc claims description path MUST be an array with exactly two string elements, pointing to the namespace and element identifier within an mdoc credential"
+});
+var zIssuerMetadataClaimsDescription = z.object({
+  path: zClaimsDescriptionPath,
+  mandatory: z.boolean().optional(),
+  display: z.array(
+    z.object({
+      name: z.string().optional(),
+      locale: z.string().optional()
     }).passthrough()
   ).optional()
 }).passthrough();
+var zMsoMdocIssuerMetadataClaimsDescription = zIssuerMetadataClaimsDescription.extend({
+  path: zMsoMdocClaimsDescriptionPath
+});
 
 // src/formats/credential/mso-mdoc/z-mso-mdoc.ts
-var zMsoMdocFormatIdentifier = z3.literal("mso_mdoc");
-var zMsoMdocCredentialIssuerMetadata = z3.object({
+var zMsoMdocFormatIdentifier = z2.literal("mso_mdoc");
+var zMsoMdocCredentialIssuerMetadata = z2.object({
   format: zMsoMdocFormatIdentifier,
-  doctype: z3.string(),
-  claims: z3.optional(zCredentialConfigurationSupportedClaims),
-  order: z3.optional(z3.array(z3.string()))
+  doctype: z2.string(),
+  claims: z2.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
 });
-var zMsoMdocCredentialRequestFormat = z3.object({
+var zMsoMdocCredentialIssuerMetadataDraft14 = z2.object({
   format: zMsoMdocFormatIdentifier,
-  doctype: z3.string(),
-  claims: z3.optional(zCredentialConfigurationSupportedClaims)
+  doctype: z2.string(),
+  claims: zCredentialConfigurationSupportedClaimsDraft14.optional(),
+  order: z2.optional(z2.array(z2.string()))
+});
+var zMsoMdocCredentialRequestFormatDraft14 = z2.object({
+  format: zMsoMdocFormatIdentifier,
+  doctype: z2.string(),
+  // Format based request is removed in Draft 15, so only old claims syntax supported.
+  claims: z2.optional(zCredentialConfigurationSupportedClaimsDraft14)
 });
 
 // src/formats/credential/sd-jwt-vc/z-sd-jwt-vc.ts
-import z4 from "zod";
-var zSdJwtVcFormatIdentifier = z4.literal("vc+sd-jwt");
-var zSdJwtVcCredentialIssuerMetadata = z4.object({
-  vct: z4.string(),
+import z3 from "zod";
+var zSdJwtVcFormatIdentifier = z3.literal("vc+sd-jwt");
+var zSdJwtVcCredentialIssuerMetadataDraft14 = z3.object({
+  vct: z3.string(),
   format: zSdJwtVcFormatIdentifier,
-  claims: z4.optional(zCredentialConfigurationSupportedClaims),
-  order: z4.optional(z4.array(z4.string()))
+  claims: z3.optional(zCredentialConfigurationSupportedClaimsDraft14),
+  order: z3.optional(z3.array(z3.string()))
 });
-var zSdJwtVcCredentialRequestFormat = z4.object({
+var zSdJwtVcCredentialRequestFormatDraft14 = z3.object({
   format: zSdJwtVcFormatIdentifier,
+  vct: z3.string(),
+  claims: z3.optional(zCredentialConfigurationSupportedClaimsDraft14)
+});
+
+// src/formats/credential/sd-jwt-dc/z-sd-jwt-dc.ts
+import z4 from "zod";
+var zSdJwtDcFormatIdentifier = z4.literal("dc+sd-jwt");
+var zSdJwtDcCredentialIssuerMetadata = z4.object({
   vct: z4.string(),
-  claims: z4.optional(zCredentialConfigurationSupportedClaims)
+  format: zSdJwtDcFormatIdentifier,
+  claims: z4.array(zIssuerMetadataClaimsDescription).optional()
 });
 
 // src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
@@ -129,7 +93,7 @@ import z6 from "zod";
 
 // src/formats/credential/w3c-vc/z-w3c-vc-common.ts
 import z5 from "zod";
-var zCredentialSubjectLeafType = z5.object({
+var zCredentialSubjectLeafTypeDraft14 = z5.object({
   mandatory: z5.boolean().optional(),
   value_type: z5.string().optional(),
   display: z5.array(
@@ -139,19 +103,30 @@ var zCredentialSubjectLeafType = z5.object({
     }).passthrough()
   ).optional()
 }).passthrough();
-var zClaimValueSchema = z5.union([z5.array(z5.any()), z5.record(z5.string(), z5.any()), zCredentialSubjectLeafType]);
-var zW3cVcCredentialSubject = z5.record(z5.string(), zClaimValueSchema);
+var zClaimValueSchemaDraft14 = z5.union([
+  z5.array(z5.any()),
+  z5.record(z5.string(), z5.any()),
+  zCredentialSubjectLeafTypeDraft14
+]);
+var zW3cVcCredentialSubjectDraft14 = z5.record(z5.string(), zClaimValueSchemaDraft14);
 var zW3cVcJsonLdCredentialDefinition = z5.object({
   "@context": z5.array(z5.string()),
-  type: z5.array(z5.string()),
-  credentialSubject: zW3cVcCredentialSubject.optional()
+  type: z5.array(z5.string())
 }).passthrough();
+var zW3cVcJsonLdCredentialDefinitionDraft14 = zW3cVcJsonLdCredentialDefinition.extend({
+  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
+});
 
 // src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
 var zLdpVcFormatIdentifier = z6.literal("ldp_vc");
 var zLdpVcCredentialIssuerMetadata = z6.object({
   format: zLdpVcFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition,
+  claims: zIssuerMetadataClaimsDescription.optional()
+});
+var zLdpVcCredentialIssuerMetadataDraft14 = z6.object({
+  format: zLdpVcFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
   order: z6.array(z6.string()).optional()
 });
 var zLdpVcCredentialIssuerMetadataDraft11 = z6.object({
@@ -161,7 +136,7 @@ var zLdpVcCredentialIssuerMetadataDraft11 = z6.object({
   // As well as using types instead of type
   "@context": z6.array(z6.string()),
   types: z6.array(z6.string()),
-  credentialSubject: zW3cVcCredentialSubject.optional()
+  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDraft11.transform(
   ({ "@context": context, types, credentialSubject, ...rest }) => ({
@@ -174,14 +149,14 @@ var zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDr
     }
   })
 );
-var zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+var zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
   ...rest,
   ...credentialDefinition,
   types: type
 })).pipe(zLdpVcCredentialIssuerMetadataDraft11);
-var zLdpVcCredentialRequestFormat = z6.object({
+var zLdpVcCredentialRequestFormatDraft14 = z6.object({
   format: zLdpVcFormatIdentifier,
-  credential_definition: zW3cVcJsonLdCredentialDefinition
+  credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14
 });
 var zLdpVcCredentialRequestDraft11 = z6.object({
   format: zLdpVcFormatIdentifier,
@@ -189,7 +164,7 @@ var zLdpVcCredentialRequestDraft11 = z6.object({
     "@context": z6.array(z6.string()),
     // credential_definition was using types instead of type in v11
     types: z6.array(z6.string()),
-    credentialSubject: zW3cVcCredentialSubject.optional()
+    credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
   })
 }).passthrough();
 var zLdpVcCredentialRequestDraft11To14 = zLdpVcCredentialRequestDraft11.transform(
@@ -201,7 +176,7 @@ var zLdpVcCredentialRequestDraft11To14 = zLdpVcCredentialRequestDraft11.transfor
     }
   })
 );
-var zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
+var zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
   ...rest,
   credential_definition: {
     ...restCredentialDefinition,
@@ -215,6 +190,11 @@ var zJwtVcJsonLdFormatIdentifier = z7.literal("jwt_vc_json-ld");
 var zJwtVcJsonLdCredentialIssuerMetadata = z7.object({
   format: zJwtVcJsonLdFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition,
+  claims: zIssuerMetadataClaimsDescription.optional()
+});
+var zJwtVcJsonLdCredentialIssuerMetadataDraft14 = z7.object({
+  format: zJwtVcJsonLdFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
   order: z7.optional(z7.array(z7.string()))
 });
 var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = z7.object({
@@ -224,7 +204,7 @@ var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = z7.object({
   // As well as using types instead of type
   "@context": z7.array(z7.string()),
   types: z7.array(z7.string()),
-  credentialSubject: zW3cVcCredentialSubject.optional()
+  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssuerMetadataDraft11.transform(
   ({ "@context": context, types, credentialSubject, ...rest }) => ({
@@ -237,12 +217,12 @@ var zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssu
     }
   })
 );
-var zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+var zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
   ...rest,
   ...credentialDefinition,
   types: type
 })).pipe(zJwtVcJsonLdCredentialIssuerMetadataDraft11);
-var zJwtVcJsonLdCredentialRequestFormat = z7.object({
+var zJwtVcJsonLdCredentialRequestFormatDraft14 = z7.object({
   format: zJwtVcJsonLdFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition
 });
@@ -252,7 +232,7 @@ var zJwtVcJsonLdCredentialRequestDraft11 = z7.object({
     "@context": z7.array(z7.string()),
     // credential_definition was using types instead of type in v11
     types: z7.array(z7.string()),
-    credentialSubject: z7.optional(zW3cVcCredentialSubject)
+    credentialSubject: z7.optional(zW3cVcCredentialSubjectDraft14)
   }).passthrough()
 }).passthrough();
 var zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraft11.transform(
@@ -264,7 +244,7 @@ var zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraf
     }
   })
 );
-var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
+var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
   ...rest,
   credential_definition: {
     ...restCredentialDefinition,
@@ -276,12 +256,19 @@ var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestForm
 import z8 from "zod";
 var zJwtVcJsonFormatIdentifier = z8.literal("jwt_vc_json");
 var zJwtVcJsonCredentialDefinition = z8.object({
-  type: z8.array(z8.string()),
-  credentialSubject: zW3cVcCredentialSubject.optional()
+  type: z8.array(z8.string())
 }).passthrough();
+var zJwtVcJsonCredentialDefinitionDraft14 = zJwtVcJsonCredentialDefinition.extend({
+  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
+});
 var zJwtVcJsonCredentialIssuerMetadata = z8.object({
   format: zJwtVcJsonFormatIdentifier,
   credential_definition: zJwtVcJsonCredentialDefinition,
+  claims: zIssuerMetadataClaimsDescription.optional()
+});
+var zJwtVcJsonCredentialIssuerMetadataDraft14 = z8.object({
+  format: zJwtVcJsonFormatIdentifier,
+  credential_definition: zJwtVcJsonCredentialDefinitionDraft14,
   order: z8.array(z8.string()).optional()
 });
 var zJwtVcJsonCredentialIssuerMetadataDraft11 = z8.object({
@@ -290,7 +277,7 @@ var zJwtVcJsonCredentialIssuerMetadataDraft11 = z8.object({
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
   types: z8.array(z8.string()),
-  credentialSubject: zW3cVcCredentialSubject.optional()
+  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMetadataDraft11.transform(
   ({ types, credentialSubject, ...rest }) => ({
@@ -302,12 +289,12 @@ var zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMe
     }
   })
 );
-var zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+var zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
   ...rest,
   types: type,
   ...credentialDefinition
 })).pipe(zJwtVcJsonCredentialIssuerMetadataDraft11);
-var zJwtVcJsonCredentialRequestFormat = z8.object({
+var zJwtVcJsonCredentialRequestFormatDraft14 = z8.object({
   format: zJwtVcJsonFormatIdentifier,
   credential_definition: zJwtVcJsonCredentialDefinition
 });
@@ -316,7 +303,7 @@ var zJwtVcJsonCredentialRequestDraft11 = z8.object({
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
   types: z8.array(z8.string()),
-  credentialSubject: z8.optional(zW3cVcCredentialSubject)
+  credentialSubject: z8.optional(zW3cVcCredentialSubjectDraft14)
 }).passthrough();
 var zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.transform(
   ({ types, credentialSubject, ...rest }) => {
@@ -330,7 +317,7 @@ var zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.
     };
   }
 );
-var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
   ...rest,
   types: type,
   ...credentialDefinition
@@ -338,18 +325,95 @@ var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormat.p
 
 // src/version.ts
 var Openid4vciDraftVersion = /* @__PURE__ */ ((Openid4vciDraftVersion2) => {
+  Openid4vciDraftVersion2["Draft15"] = "Draft15";
   Openid4vciDraftVersion2["Draft14"] = "Draft14";
   Openid4vciDraftVersion2["Draft11"] = "Draft11";
   return Openid4vciDraftVersion2;
 })(Openid4vciDraftVersion || {});
 
+// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
+import z10 from "zod";
+
+// src/key-attestation/z-key-attestation.ts
+import { zJwk, zJwtHeader, zJwtPayload } from "@openid4vc/oauth2";
+import { zInteger } from "@openid4vc/utils";
+import z9 from "zod";
+var zKeyAttestationJwtHeader = z9.object({
+  ...zJwtHeader.shape,
+  typ: z9.literal("keyattestation+jwt")
+}).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
+  message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
+}).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
+  message: `When 'trust_chain' is provided, 'kid' is required`
+});
+var zIso18045 = z9.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
+var zIso18045OrStringArray = z9.array(z9.union([zIso18045, z9.string()]));
+var zKeyAttestationJwtPayload = z9.object({
+  ...zJwtPayload.shape,
+  iat: zInteger,
+  attested_keys: z9.array(zJwk),
+  key_storage: z9.optional(zIso18045OrStringArray),
+  user_authentication: z9.optional(zIso18045OrStringArray),
+  certification: z9.optional(z9.string().url())
+}).passthrough();
+var zKeyAttestationJwtPayloadForUse = (use) => z9.object({
+  ...zKeyAttestationJwtPayload.shape,
+  // REQUIRED when used as proof_type.attesation directly
+  nonce: use === "proof_type.attestation" ? z9.string({
+    message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly`
+  }) : z9.optional(z9.string()),
+  // REQUIRED when used within header of proof_type.jwt
+  exp: use === "proof_type.jwt" ? zInteger : z9.optional(zInteger)
+}).passthrough();
+
+// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
+var zCredentialConfigurationSupportedCommon = z10.object({
+  format: z10.string(),
+  scope: z10.string().optional(),
+  cryptographic_binding_methods_supported: z10.array(z10.string()).optional(),
+  credential_signing_alg_values_supported: z10.array(z10.string()).optional(),
+  proof_types_supported: z10.record(
+    z10.union([z10.literal("jwt"), z10.literal("attestation"), z10.string()]),
+    z10.object({
+      proof_signing_alg_values_supported: z10.array(z10.string()),
+      key_attestations_required: z10.object({
+        key_storage: zIso18045OrStringArray.optional(),
+        user_authentication: zIso18045OrStringArray.optional()
+      }).passthrough().optional()
+    })
+  ).optional(),
+  display: z10.array(
+    z10.object({
+      name: z10.string(),
+      locale: z10.string().optional(),
+      logo: z10.object({
+        // FIXME: make required again, but need to support draft 11 first
+        uri: z10.string().optional(),
+        alt_text: z10.string().optional()
+      }).passthrough().optional(),
+      description: z10.string().optional(),
+      background_color: z10.string().optional(),
+      background_image: z10.object({
+        // TODO: should be required, but paradym's metadata is wrong here.
+        uri: z10.string().optional()
+      }).passthrough().optional(),
+      text_color: z10.string().optional()
+    }).passthrough()
+  ).optional()
+}).passthrough();
+
 // src/metadata/credential-issuer/z-credential-issuer-metadata.ts
 var allCredentialIssuerMetadataFormats = [
-  zSdJwtVcCredentialIssuerMetadata,
+  zSdJwtDcCredentialIssuerMetadata,
   zMsoMdocCredentialIssuerMetadata,
   zJwtVcJsonLdCredentialIssuerMetadata,
   zLdpVcCredentialIssuerMetadata,
-  zJwtVcJsonCredentialIssuerMetadata
+  zJwtVcJsonCredentialIssuerMetadata,
+  zMsoMdocCredentialIssuerMetadataDraft14,
+  zSdJwtVcCredentialIssuerMetadataDraft14,
+  zJwtVcJsonLdCredentialIssuerMetadataDraft14,
+  zLdpVcCredentialIssuerMetadataDraft14,
+  zJwtVcJsonCredentialIssuerMetadataDraft14
 ];
 var allCredentialIssuerMetadataFormatIdentifiers = allCredentialIssuerMetadataFormats.map(
   (format) => format.shape.format.value
@@ -357,56 +421,69 @@ var allCredentialIssuerMetadataFormatIdentifiers = allCredentialIssuerMetadataFo
 var zCredentialConfigurationSupportedWithFormats = zCredentialConfigurationSupportedCommon.transform(
   (data, ctx) => {
     if (!allCredentialIssuerMetadataFormatIdentifiers.includes(data.format)) return data;
-    const result = z9.object({}).passthrough().and(z9.discriminatedUnion("format", allCredentialIssuerMetadataFormats)).safeParse(data);
+    const validators = allCredentialIssuerMetadataFormats.reduce(
+      (validators2, formatValidator) => {
+        const format = formatValidator.shape.format.value;
+        if (!validators2[format]) {
+          validators2[format] = [];
+        }
+        validators2[format].push(formatValidator);
+        return validators2;
+      },
+      {}
+    )[data.format];
+    const result = z11.object({}).passthrough().and(
+      validators.length > 1 ? z11.union(validators) : validators[0]
+    ).safeParse(data);
     if (result.success) {
       return result.data;
     }
     for (const issue of result.error.issues) {
       ctx.addIssue(issue);
     }
-    return z9.NEVER;
+    return z11.NEVER;
   }
 );
-var zCredentialIssuerMetadataDisplayEntry = z9.object({
-  name: z9.string().optional(),
-  locale: z9.string().optional(),
-  logo: z9.object({
+var zCredentialIssuerMetadataDisplayEntry = z11.object({
+  name: z11.string().optional(),
+  locale: z11.string().optional(),
+  logo: z11.object({
     // FIXME: make required again, but need to support draft 11 first
-    uri: z9.string().optional(),
-    alt_text: z9.string().optional()
+    uri: z11.string().optional(),
+    alt_text: z11.string().optional()
   }).passthrough().optional()
 }).passthrough();
-var zCredentialIssuerMetadataDraft14 = z9.object({
+var zCredentialIssuerMetadataDraft14Draft15 = z11.object({
   credential_issuer: zHttpsUrl,
-  authorization_servers: z9.array(zHttpsUrl).optional(),
+  authorization_servers: z11.array(zHttpsUrl).optional(),
   credential_endpoint: zHttpsUrl,
   deferred_credential_endpoint: zHttpsUrl.optional(),
   notification_endpoint: zHttpsUrl.optional(),
   // Added after draft 14, but needed for proper
   nonce_endpoint: zHttpsUrl.optional(),
-  credential_response_encryption: z9.object({
-    alg_values_supported: z9.array(z9.string()),
-    enc_values_supported: z9.array(z9.string()),
-    encryption_required: z9.boolean()
+  credential_response_encryption: z11.object({
+    alg_values_supported: z11.array(z11.string()),
+    enc_values_supported: z11.array(z11.string()),
+    encryption_required: z11.boolean()
   }).passthrough().optional(),
-  batch_credential_issuance: z9.object({
-    batch_size: z9.number().positive()
+  batch_credential_issuance: z11.object({
+    batch_size: z11.number().positive()
   }).passthrough().optional(),
   signed_metadata: zCompactJwt.optional(),
-  display: z9.array(zCredentialIssuerMetadataDisplayEntry).optional(),
-  credential_configurations_supported: z9.record(z9.string(), zCredentialConfigurationSupportedWithFormats)
+  display: z11.array(zCredentialIssuerMetadataDisplayEntry).optional(),
+  credential_configurations_supported: z11.record(z11.string(), zCredentialConfigurationSupportedWithFormats)
 }).passthrough();
-var zCredentialConfigurationSupportedDraft11To14 = z9.object({
-  id: z9.string().optional(),
-  format: z9.string(),
-  cryptographic_suites_supported: z9.array(z9.string()).optional(),
-  display: z9.array(
-    z9.object({
-      logo: z9.object({
-        url: z9.string().url().optional()
+var zCredentialConfigurationSupportedDraft11To14 = z11.object({
+  id: z11.string().optional(),
+  format: z11.string(),
+  cryptographic_suites_supported: z11.array(z11.string()).optional(),
+  display: z11.array(
+    z11.object({
+      logo: z11.object({
+        url: z11.string().url().optional()
       }).passthrough().optional(),
-      background_image: z9.object({
-        url: z9.string().url().optional()
+      background_image: z11.object({
+        url: z11.string().url().optional()
       }).passthrough().optional()
     }).passthrough()
   ).optional()
@@ -447,11 +524,11 @@ var zCredentialConfigurationSupportedDraft11To14 = z9.object({
   for (const issue of result.error.issues) {
     ctx.addIssue(issue);
   }
-  return z9.NEVER;
+  return z11.NEVER;
 }).pipe(zCredentialConfigurationSupportedWithFormats);
 var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSupportedWithFormats.and(
-  z9.object({
-    id: z9.string()
+  z11.object({
+    id: z11.string()
   }).passthrough()
 ).transform(({ id, credential_signing_alg_values_supported, display, proof_types_supported, scope, ...rest }) => ({
   ...rest,
@@ -471,15 +548,15 @@ var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSuppo
   } : {},
   id
 })).pipe(
-  z9.union([
+  z11.union([
     zLdpVcCredentialIssuerMetadataDraft14To11,
     zJwtVcJsonCredentialIssuerMetadataDraft14To11,
     zJwtVcJsonLdCredentialIssuerMetadataDraft14To11,
     // To handle unrecognized formats and not error immediately we allow the common format as well
     // but they can't use any of the foramt identifiers that have a specific transformation. This way if a format is
     // has a transformation it NEEDS to use the format specific transformation, and otherwise we fall back to the common validation
-    z9.object({
-      format: z9.string().refine(
+    z11.object({
+      format: z11.string().refine(
         (input) => ![
           zLdpVcFormatIdentifier.value,
           zJwtVcJsonFormatIdentifier.value,
@@ -489,11 +566,11 @@ var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSuppo
     }).passthrough()
   ])
 );
-var zCredentialIssuerMetadataDraft11To14 = z9.object({
-  authorization_server: z9.string().optional(),
-  credentials_supported: z9.array(
-    z9.object({
-      id: z9.string().optional()
+var zCredentialIssuerMetadataDraft11To14 = z11.object({
+  authorization_server: z11.string().optional(),
+  credentials_supported: z11.array(
+    z11.object({
+      id: z11.string().optional()
     }).passthrough()
   )
 }).passthrough().transform(({ authorization_server, credentials_supported, ...rest }) => {
@@ -506,12 +583,12 @@ var zCredentialIssuerMetadataDraft11To14 = z9.object({
     )
   };
 }).pipe(
-  z9.object({
+  z11.object({
     // Update from v11 structrue to v14 structure
-    credential_configurations_supported: z9.record(z9.string(), zCredentialConfigurationSupportedDraft11To14)
+    credential_configurations_supported: z11.record(z11.string(), zCredentialConfigurationSupportedDraft11To14)
   }).passthrough()
-).pipe(zCredentialIssuerMetadataDraft14);
-var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14.transform((issuerMetadata) => ({
+).pipe(zCredentialIssuerMetadataDraft14Draft15);
+var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15.transform((issuerMetadata) => ({
   ...issuerMetadata,
   ...issuerMetadata.authorization_servers ? { authorization_server: issuerMetadata.authorization_servers[0] } : {},
   credentials_supported: Object.entries(issuerMetadata.credential_configurations_supported).map(([id, value]) => ({
@@ -519,22 +596,35 @@ var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14.tran
     id
   }))
 })).pipe(
-  zCredentialIssuerMetadataDraft14.extend({
-    credentials_supported: z9.array(zCredentialConfigurationSupportedDraft14To11)
+  zCredentialIssuerMetadataDraft14Draft15.extend({
+    credentials_supported: z11.array(zCredentialConfigurationSupportedDraft14To11)
   })
 );
-var zCredentialIssuerMetadata = z9.union([
-  // First prioritize draft 14 (and 13)
-  zCredentialIssuerMetadataDraft14,
+var zCredentialIssuerMetadata = z11.union([
+  // First prioritize draft 15/14 (and 13)
+  zCredentialIssuerMetadataDraft14Draft15,
   // Then try parsing draft 11 and transform into draft 14
   zCredentialIssuerMetadataDraft11To14
 ]);
-var zCredentialIssuerMetadataWithDraftVersion = z9.union([
-  // First prioritize draft 14 (and 13)
-  zCredentialIssuerMetadataDraft14.transform((credentialIssuerMetadata) => ({
-    credentialIssuerMetadata,
-    originalDraftVersion: "Draft14" /* Draft14 */
-  })),
+var zCredentialIssuerMetadataWithDraftVersion = z11.union([
+  zCredentialIssuerMetadataDraft14Draft15.transform((credentialIssuerMetadata) => {
+    const isDraft15 = Object.values(credentialIssuerMetadata.credential_configurations_supported).some(
+      (configuration) => {
+        const knownConfiguration = configuration;
+        if (knownConfiguration.format === zSdJwtDcFormatIdentifier.value) return true;
+        if (Array.isArray(knownConfiguration.claims)) return true;
+        if (Object.values(knownConfiguration.proof_types_supported ?? {}).some(
+          (proofType) => proofType.key_attestations_required !== void 0
+        ))
+          return true;
+        return false;
+      }
+    );
+    return {
+      credentialIssuerMetadata,
+      originalDraftVersion: isDraft15 ? "Draft15" /* Draft15 */ : "Draft14" /* Draft14 */
+    };
+  }),
   // Then try parsing draft 11 and transform into draft 14
   zCredentialIssuerMetadataDraft11To14.transform((credentialIssuerMetadata) => ({
     credentialIssuerMetadata,
@@ -561,6 +651,15 @@ function extractKnownCredentialConfigurationSupportedFormats(credentialConfigura
     )
   );
 }
+function getCredentialConfigurationSupportedById(credentialConfigurations, credentialConfigurationId) {
+  const configuration = credentialConfigurations[credentialConfigurationId];
+  if (!configuration) {
+    throw new Oauth2Error(
+      `Credential configuration with id '${credentialConfigurationId}' not found in credential configurations supported.`
+    );
+  }
+  return configuration;
+}
 
 // src/credential-request/credential-request-configurations.ts
 function getCredentialConfigurationsMatchingRequestFormat({
@@ -698,41 +797,41 @@ import {
   preAuthorizedCodeGrantIdentifier
 } from "@openid4vc/oauth2";
 import { zHttpsUrl as zHttpsUrl2 } from "@openid4vc/utils";
-import z10 from "zod";
-var zTxCode = z10.object({
-  input_mode: z10.union([z10.literal("numeric"), z10.literal("text")]).optional(),
-  length: z10.number().int().optional(),
-  description: z10.string().max(300).optional()
+import z12 from "zod";
+var zTxCode = z12.object({
+  input_mode: z12.union([z12.literal("numeric"), z12.literal("text")]).optional(),
+  length: z12.number().int().optional(),
+  description: z12.string().max(300).optional()
 }).passthrough();
-var zCredentialOfferGrants = z10.object({
-  authorization_code: z10.object({
-    issuer_state: z10.string().optional(),
+var zCredentialOfferGrants = z12.object({
+  authorization_code: z12.object({
+    issuer_state: z12.string().optional(),
     authorization_server: zHttpsUrl2.optional()
   }).passthrough().optional(),
-  [preAuthorizedCodeGrantIdentifier]: z10.object({
-    "pre-authorized_code": z10.string(),
+  [preAuthorizedCodeGrantIdentifier]: z12.object({
+    "pre-authorized_code": z12.string(),
     tx_code: zTxCode.optional(),
     authorization_server: zHttpsUrl2.optional()
   }).passthrough().optional()
 }).passthrough();
-var zCredentialOfferObjectDraft14 = z10.object({
+var zCredentialOfferObjectDraft14 = z12.object({
   credential_issuer: zHttpsUrl2,
-  credential_configuration_ids: z10.array(z10.string()),
-  grants: z10.optional(zCredentialOfferGrants)
+  credential_configuration_ids: z12.array(z12.string()),
+  grants: z12.optional(zCredentialOfferGrants)
 }).passthrough();
-var zCredentialOfferObjectDraft11To14 = z10.object({
+var zCredentialOfferObjectDraft11To14 = z12.object({
   credential_issuer: zHttpsUrl2,
   // We don't support the inline offer objects from draft 11
-  credentials: z10.array(
-    z10.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })
+  credentials: z12.array(
+    z12.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })
   ),
-  grants: z10.optional(
-    z10.object({
+  grants: z12.optional(
+    z12.object({
       // Has extra param in draft 14, but doesn't matter for transform purposes
       authorization_code: zCredentialOfferGrants.shape.authorization_code,
-      [preAuthorizedCodeGrantIdentifier]: z10.object({
-        "pre-authorized_code": z10.string(),
-        user_pin_required: z10.optional(z10.boolean())
+      [preAuthorizedCodeGrantIdentifier]: z12.object({
+        "pre-authorized_code": z12.string(),
+        user_pin_required: z12.optional(z12.boolean())
       }).passthrough().optional()
     })
   )
@@ -757,7 +856,7 @@ var zCredentialOfferObjectDraft11To14 = z10.object({
   }
   return v14;
 }).pipe(zCredentialOfferObjectDraft14);
-var zCredentialOfferObject = z10.union([
+var zCredentialOfferObject = z12.union([
   // First prioritize draft 14 (and 13)
   zCredentialOfferObjectDraft14,
   // Then try parsing draft 11 and transform into draft 14
@@ -896,25 +995,23 @@ async function createCredentialOffer(options) {
 // src/credential-request/format-payload.ts
 import { zIs } from "@openid4vc/utils";
 function getCredentialRequestFormatPayloadForCredentialConfigurationId(options) {
-  const credentialConfiguration = options.issuerMetadata.credentialIssuer.credential_configurations_supported[options.credentialConfigurationId];
-  if (!credentialConfiguration) {
-    throw new Openid4vciError(
-      `Could not find credential configuration with id '${options.credentialConfigurationId}' in metadata of credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'.`
-    );
-  }
-  if (zIs(zSdJwtVcCredentialIssuerMetadata, credentialConfiguration)) {
+  const credentialConfiguration = getCredentialConfigurationSupportedById(
+    options.issuerMetadata.credentialIssuer.credential_configurations_supported,
+    options.credentialConfigurationId
+  );
+  if (zIs(zSdJwtVcCredentialIssuerMetadataDraft14, credentialConfiguration)) {
     return {
       format: credentialConfiguration.format,
       vct: credentialConfiguration.vct
     };
   }
-  if (zIs(zMsoMdocCredentialIssuerMetadata, credentialConfiguration)) {
+  if (zIs(zMsoMdocCredentialIssuerMetadata, credentialConfiguration) || zIs(zMsoMdocCredentialIssuerMetadataDraft14, credentialConfiguration)) {
     return {
       format: credentialConfiguration.format,
       doctype: credentialConfiguration.doctype
     };
   }
-  if (zIs(zLdpVcCredentialIssuerMetadata, credentialConfiguration)) {
+  if (zIs(zLdpVcCredentialIssuerMetadata, credentialConfiguration) || zIs(zLdpVcCredentialIssuerMetadataDraft14, credentialConfiguration)) {
     return {
       format: credentialConfiguration.format,
       credential_definition: {
@@ -923,7 +1020,7 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
       }
     };
   }
-  if (zIs(zJwtVcJsonLdCredentialIssuerMetadata, credentialConfiguration)) {
+  if (zIs(zJwtVcJsonLdCredentialIssuerMetadata, credentialConfiguration) || zIs(zJwtVcJsonLdCredentialIssuerMetadataDraft14, credentialConfiguration)) {
     return {
       format: credentialConfiguration.format,
       credential_definition: {
@@ -932,7 +1029,7 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
       }
     };
   }
-  if (zIs(zJwtVcJsonCredentialIssuerMetadata, credentialConfiguration)) {
+  if (zIs(zJwtVcJsonCredentialIssuerMetadata, credentialConfiguration) || zIs(zJwtVcJsonCredentialIssuerMetadataDraft14, credentialConfiguration)) {
     return {
       format: credentialConfiguration.format,
       credential_definition: {
@@ -940,6 +1037,11 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
       }
     };
   }
+  if (zIs(zSdJwtDcCredentialIssuerMetadata, credentialConfiguration)) {
+    throw new Openid4vciError(
+      `Credential configuration id '${options.credentialConfigurationId}' with format ${zSdJwtVcFormatIdentifier.value} does not support credential request based on 'format'. Use 'credential_configuration_id' directly.`
+    );
+  }
   throw new Openid4vciError(
     `Unknown format '${credentialConfiguration.format}' in credential configuration with id '${options.credentialConfigurationId}' for credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
   );
@@ -953,33 +1055,33 @@ import {
 import { ContentType as ContentType2, isResponseContentType, parseWithErrorHandling as parseWithErrorHandling2 } from "@openid4vc/utils";
 
 // src/credential-request/z-credential-request.ts
-import z14 from "zod";
+import z16 from "zod";
 
 // src/credential-request/z-credential-request-common.ts
 import { zJwk as zJwk2 } from "@openid4vc/oauth2";
-import z13 from "zod";
+import z15 from "zod";
 
 // src/formats/proof-type/jwt/z-jwt-proof-type.ts
 import { zCompactJwt as zCompactJwt2, zJwtHeader as zJwtHeader2, zJwtPayload as zJwtPayload2 } from "@openid4vc/oauth2";
 import { zHttpsUrl as zHttpsUrl3, zInteger as zInteger2 } from "@openid4vc/utils";
-import z11 from "zod";
-var zJwtProofTypeIdentifier = z11.literal("jwt");
+import z13 from "zod";
+var zJwtProofTypeIdentifier = z13.literal("jwt");
 var jwtProofTypeIdentifier = zJwtProofTypeIdentifier.value;
-var zCredentialRequestProofJwt = z11.object({
+var zCredentialRequestProofJwt = z13.object({
   proof_type: zJwtProofTypeIdentifier,
   jwt: zCompactJwt2
 });
 var zCredentialRequestJwtProofTypeHeader = zJwtHeader2.merge(
-  z11.object({
-    key_attestation: z11.optional(zCompactJwt2),
-    typ: z11.literal("openid4vci-proof+jwt")
+  z13.object({
+    key_attestation: z13.optional(zCompactJwt2),
+    typ: z13.literal("openid4vci-proof+jwt")
   })
 ).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
   message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
 }).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
   message: `When 'trust_chain' is provided, 'kid' is required`
 });
-var zCredentialRequestJwtProofTypePayload = z11.object({
+var zCredentialRequestJwtProofTypePayload = z13.object({
   ...zJwtPayload2.shape,
   aud: zHttpsUrl3,
   iat: zInteger2
@@ -987,40 +1089,40 @@ var zCredentialRequestJwtProofTypePayload = z11.object({
 
 // src/formats/proof-type/attestation/z-attestation-proof-type.ts
 import { zCompactJwt as zCompactJwt3 } from "@openid4vc/oauth2";
-import z12 from "zod";
-var zAttestationProofTypeIdentifier = z12.literal("attestation");
+import z14 from "zod";
+var zAttestationProofTypeIdentifier = z14.literal("attestation");
 var attestationProofTypeIdentifier = zAttestationProofTypeIdentifier.value;
-var zCredentialRequestProofAttestation = z12.object({
+var zCredentialRequestProofAttestation = z14.object({
   proof_type: zAttestationProofTypeIdentifier,
   attestation: zCompactJwt3
 });
 var zCredentialRequestAttestationProofTypePayload = zKeyAttestationJwtPayloadForUse("proof_type.attestation");
 
 // src/credential-request/z-credential-request-common.ts
-var zCredentialRequestProofCommon = z13.object({
-  proof_type: z13.string()
+var zCredentialRequestProofCommon = z15.object({
+  proof_type: z15.string()
 }).passthrough();
 var allCredentialRequestProofs = [zCredentialRequestProofJwt, zCredentialRequestProofAttestation];
-var zCredentialRequestProof = z13.union([
+var zCredentialRequestProof = z15.union([
   zCredentialRequestProofCommon,
-  z13.discriminatedUnion("proof_type", allCredentialRequestProofs)
+  z15.discriminatedUnion("proof_type", allCredentialRequestProofs)
 ]);
-var zCredentialRequestProofsCommon = z13.record(z13.string(), z13.array(z13.unknown()));
-var zCredentialRequestProofs = z13.object({
-  [zJwtProofTypeIdentifier.value]: z13.optional(z13.array(zCredentialRequestProofJwt.shape.jwt)),
-  [zAttestationProofTypeIdentifier.value]: z13.optional(z13.array(zCredentialRequestProofAttestation.shape.attestation))
+var zCredentialRequestProofsCommon = z15.record(z15.string(), z15.array(z15.unknown()));
+var zCredentialRequestProofs = z15.object({
+  [zJwtProofTypeIdentifier.value]: z15.optional(z15.array(zCredentialRequestProofJwt.shape.jwt)),
+  [zAttestationProofTypeIdentifier.value]: z15.optional(z15.array(zCredentialRequestProofAttestation.shape.attestation))
 });
-var zCredentialRequestCommon = z13.object({
+var zCredentialRequestCommon = z15.object({
   proof: zCredentialRequestProof.optional(),
-  proofs: z13.optional(
-    z13.intersection(zCredentialRequestProofsCommon, zCredentialRequestProofs).refine((proofs) => Object.values(proofs).length === 1, {
+  proofs: z15.optional(
+    z15.intersection(zCredentialRequestProofsCommon, zCredentialRequestProofs).refine((proofs) => Object.values(proofs).length === 1, {
       message: `The 'proofs' object in a credential request should contain exactly one attribute`
     })
   ),
-  credential_response_encryption: z13.object({
+  credential_response_encryption: z15.object({
     jwk: zJwk2,
-    alg: z13.string(),
-    enc: z13.string()
+    alg: z15.string(),
+    enc: z15.string()
   }).passthrough().optional()
 }).passthrough().refine(({ proof, proofs }) => !(proof !== void 0 && proofs !== void 0), {
   message: `Both 'proof' and 'proofs' are defined. Only one is allowed`
@@ -1028,40 +1130,54 @@ var zCredentialRequestCommon = z13.object({
 
 // src/credential-request/z-credential-request.ts
 var allCredentialRequestFormats = [
-  zSdJwtVcCredentialRequestFormat,
-  zMsoMdocCredentialRequestFormat,
-  zLdpVcCredentialRequestFormat,
-  zJwtVcJsonLdCredentialRequestFormat,
-  zJwtVcJsonCredentialRequestFormat
+  zSdJwtVcCredentialRequestFormatDraft14,
+  zMsoMdocCredentialRequestFormatDraft14,
+  zLdpVcCredentialRequestFormatDraft14,
+  zJwtVcJsonLdCredentialRequestFormatDraft14,
+  zJwtVcJsonCredentialRequestFormatDraft14
 ];
 var allCredentialRequestFormatIdentifiers = allCredentialRequestFormats.map(
   (format) => format.shape.format.value
 );
-var zAuthorizationDetailsCredentialRequest = z14.object({
-  credential_identifier: z14.string(),
+var zCredentialRequestCredentialConfigurationId = z16.object({
+  credential_configuration_id: z16.string(),
+  format: z16.never({ message: "'format' cannot be defined when 'credential_configuration_id' is set." }).optional(),
+  credential_identifier: z16.never({ message: "'credential_identifier' cannot be defined when 'credential_configuration_id' is set." }).optional()
+});
+var zAuthorizationDetailsCredentialRequest = z16.object({
+  credential_identifier: z16.string(),
+  credential_configuration_id: z16.never({ message: "'credential_configuration_id' cannot be defined when 'credential_identifier' is set." }).optional(),
   // Cannot be present if credential identifier is present
-  format: z14.never({ message: "'format' cannot be defined when 'credential_identifier' is set." }).optional()
+  format: z16.never({ message: "'format' cannot be defined when 'credential_identifier' is set." }).optional()
 });
-var zCredentialRequestFormatNoCredentialIdentifier = z14.object({
-  format: z14.string(),
-  credential_identifier: z14.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional()
+var zCredentialRequestFormat = z16.object({
+  format: z16.string(),
+  credential_identifier: z16.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional(),
+  credential_configuration_id: z16.never({ message: "'credential_configuration_id' cannot be defined when 'format' is set." }).optional()
 }).passthrough();
-var zCredenialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormatNoCredentialIdentifier).transform((data, ctx) => {
-  if (!allCredentialRequestFormatIdentifiers.includes(data.format)) return data;
-  const result = z14.object({}).passthrough().and(z14.discriminatedUnion("format", allCredentialRequestFormats)).safeParse(data);
+var zCredenialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
+  if (!allCredentialRequestFormatIdentifiers.includes(
+    data.format
+  ))
+    return data;
+  const result = z16.object({}).passthrough().and(z16.discriminatedUnion("format", allCredentialRequestFormats)).safeParse(data);
   if (result.success) {
     return result.data;
   }
   for (const issue of result.error.issues) {
     ctx.addIssue(issue);
   }
-  return z14.NEVER;
+  return z16.NEVER;
 });
-var zCredentialRequestDraft14 = z14.union([
+var zCredentialRequestDraft15 = z16.union([
+  zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest),
+  zCredentialRequestCommon.and(zCredentialRequestCredentialConfigurationId)
+]);
+var zCredentialRequestDraft14 = z16.union([
   zCredenialRequestDraft14WithFormat,
   zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest)
 ]);
-var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequestFormatNoCredentialIdentifier).transform((data, ctx) => {
+var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
   const formatSpecificTransformations = {
     [zLdpVcFormatIdentifier.value]: zLdpVcCredentialRequestDraft11To14,
     [zJwtVcJsonFormatIdentifier.value]: zJwtVcJsonCredentialRequestDraft11To14,
@@ -1074,7 +1190,7 @@ var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequ
   for (const issue of result.error.issues) {
     ctx.addIssue(issue);
   }
-  return z14.NEVER;
+  return z16.NEVER;
 }).pipe(zCredentialRequestDraft14);
 var zCredentialRequestDraft14To11 = zCredentialRequestDraft14.refine(
   (data) => data.credential_identifier === void 0,
@@ -1092,15 +1208,19 @@ var zCredentialRequestDraft14To11 = zCredentialRequestDraft14.refine(
   for (const issue of result.error.issues) {
     ctx.addIssue(issue);
   }
-  return z14.NEVER;
+  return z16.NEVER;
 });
-var zCredentialRequest = z14.union([zCredentialRequestDraft14, zCredentialRequestDraft11To14]);
+var zCredentialRequest = z16.union([
+  zCredentialRequestDraft15,
+  zCredentialRequestDraft14,
+  zCredentialRequestDraft11To14
+]);
 
 // src/credential-request/z-credential-response.ts
-import z16 from "zod";
+import z18 from "zod";
 
 // ../oauth2/src/common/z-oauth2-error.ts
-import z15 from "zod";
+import z17 from "zod";
 var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes4) => {
   Oauth2ErrorCodes4["ServerError"] = "server_error";
   Oauth2ErrorCodes4["InvalidTarget"] = "invalid_target";
@@ -1137,21 +1257,21 @@ var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes4) => {
   Oauth2ErrorCodes4["WalletUnavailable"] = "wallet_unavailable";
   return Oauth2ErrorCodes4;
 })(Oauth2ErrorCodes || {});
-var zOauth2ErrorResponse = z15.object({
-  error: z15.union([z15.nativeEnum(Oauth2ErrorCodes), z15.string()]),
-  error_description: z15.string().optional(),
-  error_uri: z15.string().optional()
+var zOauth2ErrorResponse = z17.object({
+  error: z17.union([z17.nativeEnum(Oauth2ErrorCodes), z17.string()]),
+  error_description: z17.string().optional(),
+  error_uri: z17.string().optional()
 }).passthrough();
 
 // src/credential-request/z-credential-response.ts
-var zCredentialEncoding = z16.union([z16.string(), z16.record(z16.string(), z16.any())]);
-var zCredentialResponse = z16.object({
-  credential: z16.optional(zCredentialEncoding),
-  credentials: z16.optional(z16.array(zCredentialEncoding)),
-  transaction_id: z16.string().optional(),
-  c_nonce: z16.string().optional(),
-  c_nonce_expires_in: z16.number().int().optional(),
-  notification_id: z16.string().optional()
+var zCredentialEncoding = z18.union([z18.string(), z18.record(z18.string(), z18.any())]);
+var zCredentialResponse = z18.object({
+  credential: z18.optional(zCredentialEncoding),
+  credentials: z18.optional(z18.array(zCredentialEncoding)),
+  transaction_id: z18.string().optional(),
+  c_nonce: z18.string().optional(),
+  c_nonce_expires_in: z18.number().int().optional(),
+  notification_id: z18.string().optional()
 }).passthrough().refine(
   (value) => {
     const { credential, credentials, transaction_id } = value;
@@ -1161,14 +1281,43 @@ var zCredentialResponse = z16.object({
     message: `Exactly one of 'credential', 'credentials', or 'transaction_id' MUST be defined.`
   }
 );
-var zCredentialErrorResponse = z16.object({
+var zCredentialErrorResponse = z18.object({
   ...zOauth2ErrorResponse.shape,
-  c_nonce: z16.string().optional(),
-  c_nonce_expires_in: z16.number().int().optional()
+  c_nonce: z18.string().optional(),
+  c_nonce_expires_in: z18.number().int().optional()
 }).passthrough();
 
 // src/credential-request/retrieve-credentials.ts
+async function retrieveCredentialsWithCredentialConfigurationId(options) {
+  if (options.issuerMetadata.originalDraftVersion !== "Draft15" /* Draft15 */) {
+    throw new Openid4vciError(
+      "Requesting credentials based on format is not supported in OpenID4VCI below draft 15. Make sure to provide the format and format specific claims in the request."
+    );
+  }
+  getCredentialConfigurationSupportedById(
+    options.issuerMetadata.credentialIssuer.credential_configurations_supported,
+    options.credentialConfigurationId
+  );
+  const credentialRequest = {
+    ...options.additionalRequestPayload,
+    credential_configuration_id: options.credentialConfigurationId,
+    proof: options.proof,
+    proofs: options.proofs
+  };
+  return retrieveCredentials({
+    callbacks: options.callbacks,
+    credentialRequest,
+    issuerMetadata: options.issuerMetadata,
+    accessToken: options.accessToken,
+    dpop: options.dpop
+  });
+}
 async function retrieveCredentialsWithFormat(options) {
+  if (options.issuerMetadata.originalDraftVersion === "Draft15" /* Draft15 */) {
+    throw new Openid4vciError(
+      "Requesting credentials based on format is not supported in OpenID4VCI draft 15. Provide the credential configuration id directly in the request."
+    );
+  }
   const credentialRequest = {
     ...options.formatPayload,
     ...options.additionalRequestPayload,
@@ -1254,6 +1403,24 @@ import { dateToSeconds as dateToSeconds2, parseWithErrorHandling as parseWithErr
 import { decodeJwt, jwtHeaderFromJwtSigner } from "@openid4vc/oauth2";
 import { jwtSignerFromJwt, verifyJwt } from "@openid4vc/oauth2";
 import { dateToSeconds, parseWithErrorHandling as parseWithErrorHandling3 } from "@openid4vc/utils";
+async function createKeyAttestationJwt(options) {
+  const header = parseWithErrorHandling3(zKeyAttestationJwtHeader, {
+    ...jwtHeaderFromJwtSigner(options.signer),
+    typ: "keyattestation+jwt"
+  });
+  const payload = parseWithErrorHandling3(zKeyAttestationJwtPayloadForUse(options.use), {
+    iat: dateToSeconds(options.issuedAt),
+    exp: options.expiresAt ? dateToSeconds(options.expiresAt) : void 0,
+    nonce: options.nonce,
+    attested_keys: options.attestedKeys,
+    user_authentication: options.userAuthentication,
+    key_storage: options.keyStorage,
+    certification: options.certification,
+    ...options.additionalPayload
+  });
+  const { jwt } = await options.callbacks.signJwt(options.signer, { header, payload });
+  return jwt;
+}
 async function verifyKeyAttestationJwt(options) {
   const { header, payload } = decodeJwt({
     jwt: options.keyAttestationJwt,
@@ -1413,10 +1580,10 @@ import { ContentType as ContentType3, ValidationError as ValidationError3, creat
 
 // src/nonce/z-nonce.ts
 import { zInteger as zInteger3 } from "@openid4vc/utils";
-import z17 from "zod";
-var zNonceResponse = z17.object({
-  c_nonce: z17.string(),
-  c_nonce_expires_in: z17.optional(zInteger3)
+import z19 from "zod";
+var zNonceResponse = z19.object({
+  c_nonce: z19.string(),
+  c_nonce_expires_in: z19.optional(zInteger3)
 }).passthrough();
 
 // src/nonce/nonce-request.ts
@@ -1459,15 +1626,15 @@ import {
 import { ContentType as ContentType4, isResponseContentType as isResponseContentType2, parseWithErrorHandling as parseWithErrorHandling7 } from "@openid4vc/utils";
 
 // src/notification/z-notification.ts
-import z18 from "zod";
-var zNotificationEvent = z18.enum(["credential_accepted", "credential_failure", "credential_deleted"]);
-var zNotificationRequest = z18.object({
-  notification_id: z18.string(),
+import z20 from "zod";
+var zNotificationEvent = z20.enum(["credential_accepted", "credential_failure", "credential_deleted"]);
+var zNotificationRequest = z20.object({
+  notification_id: z20.string(),
   event: zNotificationEvent,
-  event_description: z18.optional(z18.string())
+  event_description: z20.optional(z20.string())
 }).passthrough();
-var zNotificationErrorResponse = z18.object({
-  error: z18.enum(["invalid_notification_id", "invalid_notification_request"])
+var zNotificationErrorResponse = z20.object({
+  error: z20.enum(["invalid_notification_id", "invalid_notification_request"])
 }).passthrough();
 
 // src/notification/notification.ts
@@ -1610,7 +1777,6 @@ var Openid4vciClient = class {
           issuer_state: options.credentialOffer?.grants?.authorization_code?.issuer_state
         },
         dpop: options.dpop,
-        clientAttestation: options.clientAttestation,
         resource: options.issuerMetadata.credentialIssuer.credential_issuer,
         authorizationServerMetadata
       });
@@ -1664,7 +1830,6 @@ var Openid4vciClient = class {
       redirectUri: options.redirectUri,
       scope: options.scope,
       pkceCodeVerifier: options.pkceCodeVerifier,
-      clientAttestation: options.clientAttestation,
       dpop: options.dpop
     });
     return {
@@ -1683,8 +1848,7 @@ var Openid4vciClient = class {
     issuerMetadata,
     additionalRequestPayload,
     txCode,
-    dpop,
-    clientAttestation
+    dpop
   }) {
     if (!credentialOffer.grants?.[preAuthorizedCodeGrantIdentifier3]) {
       throw new Oauth2Error7(`The credential offer does not contain the '${preAuthorizedCodeGrantIdentifier3}' grant.`);
@@ -1709,8 +1873,7 @@ var Openid4vciClient = class {
       txCode,
       resource: issuerMetadata.credentialIssuer.credential_issuer,
       additionalRequestPayload,
-      dpop,
-      clientAttestation
+      dpop
     });
     return {
       ...result,
@@ -1728,8 +1891,7 @@ var Openid4vciClient = class {
     authorizationCode,
     pkceCodeVerifier,
     redirectUri,
-    dpop,
-    clientAttestation
+    dpop
   }) {
     if (!credentialOffer.grants?.[authorizationCodeGrantIdentifier2]) {
       throw new Oauth2Error7(`The credential offer does not contain the '${authorizationCodeGrantIdentifier2}' grant.`);
@@ -1748,7 +1910,6 @@ var Openid4vciClient = class {
       pkceCodeVerifier,
       additionalRequestPayload,
       dpop,
-      clientAttestation,
       redirectUri,
       resource: issuerMetadata.credentialIssuer.credential_issuer
     });
@@ -1826,20 +1987,34 @@ var Openid4vciClient = class {
     accessToken,
     dpop
   }) {
-    const formatPayload = getCredentialRequestFormatPayloadForCredentialConfigurationId({
-      credentialConfigurationId,
-      issuerMetadata
-    });
-    const credentialResponse = await retrieveCredentialsWithFormat({
-      accessToken,
-      formatPayload,
-      issuerMetadata,
-      additionalRequestPayload,
-      proof,
-      proofs,
-      callbacks: this.options.callbacks,
-      dpop
-    });
+    let credentialResponse;
+    if (issuerMetadata.originalDraftVersion === "Draft15" /* Draft15 */) {
+      credentialResponse = await retrieveCredentialsWithCredentialConfigurationId({
+        accessToken,
+        credentialConfigurationId,
+        issuerMetadata,
+        additionalRequestPayload,
+        proof,
+        proofs,
+        callbacks: this.options.callbacks,
+        dpop
+      });
+    } else {
+      const formatPayload = getCredentialRequestFormatPayloadForCredentialConfigurationId({
+        credentialConfigurationId,
+        issuerMetadata
+      });
+      credentialResponse = await retrieveCredentialsWithFormat({
+        accessToken,
+        formatPayload,
+        issuerMetadata,
+        additionalRequestPayload,
+        proof,
+        proofs,
+        callbacks: this.options.callbacks,
+        dpop
+      });
+    }
     if (!credentialResponse.ok) {
       throw new Openid4vciRetrieveCredentialsError(
         `Error retrieving credentials from '${issuerMetadata.credentialIssuer.credential_issuer}'`,
@@ -1880,6 +2055,7 @@ var Openid4vciClient = class {
 
 // src/Openid4vciIssuer.ts
 import {
+  Oauth2AuthorizationServer,
   Oauth2ErrorCodes as Oauth2ErrorCodes3,
   Oauth2JwtVerificationError,
   Oauth2ServerErrorResponseError
@@ -1905,7 +2081,7 @@ function createCredentialResponse(options) {
 
 // src/credential-request/parse-credential-request.ts
 import { parseWithErrorHandling as parseWithErrorHandling9 } from "@openid4vc/utils";
-import z19 from "zod";
+import z21 from "zod";
 function parseCredentialRequest(options) {
   const credentialRequest = parseWithErrorHandling9(
     zCredentialRequest,
@@ -1917,12 +2093,27 @@ function parseCredentialRequest(options) {
   if (knownProofs.success) {
     proofs = knownProofs.data;
   }
-  const knownProof = z19.union(allCredentialRequestProofs).safeParse(credentialRequest.proof);
+  const knownProof = z21.union(allCredentialRequestProofs).safeParse(credentialRequest.proof);
   if (knownProof.success && knownProof.data.proof_type === jwtProofTypeIdentifier) {
     proofs = { [jwtProofTypeIdentifier]: [knownProof.data.jwt] };
   } else if (knownProof.success && knownProof.data.proof_type === attestationProofTypeIdentifier) {
     proofs = { [attestationProofTypeIdentifier]: [knownProof.data.attestation] };
   }
+  if (credentialRequest.credential_configuration_id) {
+    getCredentialConfigurationSupportedById(
+      options.issuerMetadata.credentialIssuer.credential_configurations_supported,
+      credentialRequest.credential_configuration_id
+    );
+    const credentialConfigurations = extractKnownCredentialConfigurationSupportedFormats(
+      options.issuerMetadata.credentialIssuer.credential_configurations_supported
+    );
+    return {
+      credentialConfiguration: credentialConfigurations[credentialRequest.credential_configuration_id],
+      credentialConfigurationId: credentialRequest.credential_configuration_id,
+      credentialRequest,
+      proofs
+    };
+  }
   if (credentialRequest.credential_identifier) {
     return {
       credentialIdentifier: credentialRequest.credential_identifier,
@@ -1930,11 +2121,13 @@ function parseCredentialRequest(options) {
       proofs
     };
   }
-  if (credentialRequest.format && allCredentialRequestFormatIdentifiers.includes(credentialRequest.format)) {
+  if (credentialRequest.format && allCredentialRequestFormatIdentifiers.includes(
+    credentialRequest.format
+  )) {
     return {
       // Removes all claims that are not specific to this format
       format: parseWithErrorHandling9(
-        z19.union(allCredentialRequestFormats),
+        z21.union(allCredentialRequestFormats),
         credentialRequest,
         "Unable to validate format specific properties from credential request"
       ),
@@ -2086,6 +2279,42 @@ var Openid4vciIssuer = class {
   createNonceResponse(options) {
     return createNonceResponse(options);
   }
+  async verifyWalletAttestation(options) {
+    return new Oauth2AuthorizationServer({
+      callbacks: this.options.callbacks
+    }).verifyClientAttestation(options);
+  }
+};
+
+// src/Openid4vciWalletProvider.ts
+import {
+  createClientAttestationJwt
+} from "@openid4vc/oauth2";
+var Openid4vciWalletProvider = class {
+  constructor(options) {
+    this.options = options;
+  }
+  async createWalletAttestationJwt(options) {
+    const additionalPayload = options.additionalPayload ? {
+      wallet_name: options.walletName,
+      wallet_link: options.walletLink,
+      ...options.additionalPayload
+    } : {
+      wallet_name: options.walletName,
+      wallet_link: options.walletLink
+    };
+    return await createClientAttestationJwt({
+      ...options,
+      callbacks: this.options.callbacks,
+      additionalPayload
+    });
+  }
+  async createKeyAttestationJwt(options) {
+    return await createKeyAttestationJwt({
+      callbacks: this.options.callbacks,
+      ...options
+    });
+  }
 };
 export {
   AuthorizationFlow,
@@ -2095,6 +2324,7 @@ export {
   Openid4vciIssuer,
   Openid4vciRetrieveCredentialsError,
   Openid4vciSendNotificationError,
+  Openid4vciWalletProvider,
   credentialsSupportedToCredentialConfigurationsSupported,
   extractScopesForCredentialConfigurationIds,
   getCredentialConfigurationsMatchingRequestFormat,