@openid4vc/openid4vci 0.3.0-alpha-20250324183425 → 0.3.0-alpha-20250328112257

package/dist/index.mjs

@@ -1,3 +1,231 @@
+// src/credential-offer/credential-offer.ts
+import {
+  InvalidFetchResponseError,
+  Oauth2Error,
+  authorizationCodeGrantIdentifier,
+  getAuthorizationServerMetadataFromList,
+  preAuthorizedCodeGrantIdentifier as preAuthorizedCodeGrantIdentifier2
+} from "@openid4vc/oauth2";
+import {
+  ContentType,
+  URL,
+  URLSearchParams,
+  ValidationError,
+  createZodFetcher,
+  encodeToBase64Url,
+  getQueryParams,
+  objectToQueryParams,
+  parseWithErrorHandling
+} from "@openid4vc/utils";
+
+// src/version.ts
+var Openid4vciDraftVersion = /* @__PURE__ */ ((Openid4vciDraftVersion2) => {
+  Openid4vciDraftVersion2["Draft15"] = "Draft15";
+  Openid4vciDraftVersion2["Draft14"] = "Draft14";
+  Openid4vciDraftVersion2["Draft11"] = "Draft11";
+  return Openid4vciDraftVersion2;
+})(Openid4vciDraftVersion || {});
+
+// src/credential-offer/z-credential-offer.ts
+import {
+  preAuthorizedCodeGrantIdentifier
+} from "@openid4vc/oauth2";
+import { zHttpsUrl } from "@openid4vc/utils";
+import z from "zod";
+var zTxCode = z.object({
+  input_mode: z.union([z.literal("numeric"), z.literal("text")]).optional(),
+  length: z.number().int().optional(),
+  description: z.string().max(300).optional()
+}).passthrough();
+var zCredentialOfferGrants = z.object({
+  authorization_code: z.object({
+    issuer_state: z.string().optional(),
+    authorization_server: zHttpsUrl.optional()
+  }).passthrough().optional(),
+  [preAuthorizedCodeGrantIdentifier]: z.object({
+    "pre-authorized_code": z.string(),
+    tx_code: zTxCode.optional(),
+    authorization_server: zHttpsUrl.optional()
+  }).passthrough().optional()
+}).passthrough();
+var zCredentialOfferObjectDraft14 = z.object({
+  credential_issuer: zHttpsUrl,
+  credential_configuration_ids: z.array(z.string()),
+  grants: z.optional(zCredentialOfferGrants)
+}).passthrough();
+var zCredentialOfferObjectDraft11To14 = z.object({
+  credential_issuer: zHttpsUrl,
+  // We don't support the inline offer objects from draft 11
+  credentials: z.array(
+    z.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })
+  ),
+  grants: z.optional(
+    z.object({
+      // Has extra param in draft 14, but doesn't matter for transform purposes
+      authorization_code: zCredentialOfferGrants.shape.authorization_code,
+      [preAuthorizedCodeGrantIdentifier]: z.object({
+        "pre-authorized_code": z.string(),
+        user_pin_required: z.optional(z.boolean())
+      }).passthrough().optional()
+    })
+  )
+}).passthrough().transform(({ credentials, grants, ...rest }) => {
+  const v14 = {
+    ...rest,
+    credential_configuration_ids: credentials
+  };
+  if (grants) {
+    v14.grants = { ...grants };
+    if (grants[preAuthorizedCodeGrantIdentifier]) {
+      const { user_pin_required, ...restGrants } = grants[preAuthorizedCodeGrantIdentifier];
+      v14.grants[preAuthorizedCodeGrantIdentifier] = {
+        ...restGrants
+      };
+      if (user_pin_required) {
+        v14.grants[preAuthorizedCodeGrantIdentifier].tx_code = {
+          input_mode: "text"
+        };
+      }
+    }
+  }
+  return v14;
+}).pipe(zCredentialOfferObjectDraft14);
+var zCredentialOfferObject = z.union([
+  // First prioritize draft 14 (and 13)
+  zCredentialOfferObjectDraft14,
+  // Then try parsing draft 11 and transform into draft 14
+  zCredentialOfferObjectDraft11To14
+]);
+
+// src/credential-offer/credential-offer.ts
+async function resolveCredentialOffer(credentialOffer, options) {
+  const parsedQueryParams = getQueryParams(credentialOffer);
+  let credentialOfferParseResult;
+  if (parsedQueryParams.credential_offer_uri) {
+    const fetchWithZod = createZodFetcher(options?.fetch);
+    const { response, result } = await fetchWithZod(
+      zCredentialOfferObject,
+      ContentType.Json,
+      parsedQueryParams.credential_offer_uri
+    );
+    if (!response.ok || !result) {
+      throw new InvalidFetchResponseError(
+        `Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccesfull response with status '${response.status}'`,
+        await response.clone().text(),
+        response
+      );
+    }
+    credentialOfferParseResult = result;
+  } else if (parsedQueryParams.credential_offer) {
+    let credentialOfferJson;
+    try {
+      credentialOfferJson = JSON.parse(decodeURIComponent(parsedQueryParams.credential_offer));
+    } catch (error) {
+      throw new Oauth2Error(`Error parsing JSON from 'credential_offer' param in credential offer '${credentialOffer}'`);
+    }
+    credentialOfferParseResult = zCredentialOfferObject.safeParse(credentialOfferJson);
+  } else {
+    throw new Oauth2Error(`Credential offer did not contain either 'credential_offer' or 'credential_offer_uri' param.`);
+  }
+  if (credentialOfferParseResult.error) {
+    throw new ValidationError(
+      `Error parsing credential offer in draft 11, 13 or 14 format extracted from credential offer '${credentialOffer}'`,
+      credentialOfferParseResult.error
+    );
+  }
+  return credentialOfferParseResult.data;
+}
+function determineAuthorizationServerForCredentialOffer(options) {
+  const authorizationServers = options.issuerMetadata.credentialIssuer.authorization_servers;
+  let authorizationServer;
+  if (options.grantAuthorizationServer) {
+    authorizationServer = options.grantAuthorizationServer;
+    if (!authorizationServers) {
+      throw new Oauth2Error(
+        `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not have an 'authorization_servers' property to match the value against.`
+      );
+    }
+    if (!authorizationServers.includes(authorizationServer)) {
+      throw new Oauth2Error(
+        `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not include this authorization server. Available 'authorization_server' values are ${authorizationServers.join(", ")}.`
+      );
+    }
+  } else if (!authorizationServers) {
+    authorizationServer = options.issuerMetadata.credentialIssuer.credential_issuer;
+  } else {
+    if (authorizationServers.length === 0) {
+      throw new Oauth2Error(`Credential issuer metadata has 'authorization_servers' value with length of 0`);
+    }
+    if (authorizationServers.length > 1) {
+      throw new Oauth2Error(
+        `Credential issuer metadata has 'authorization_server' with multiple entries, but the credential offer grant did not specify which authorization server to use.`
+      );
+    }
+    authorizationServer = authorizationServers[0];
+  }
+  return authorizationServer;
+}
+async function createCredentialOffer(options) {
+  const {
+    [preAuthorizedCodeGrantIdentifier2]: preAuthorizedCodeGrant,
+    [authorizationCodeGrantIdentifier]: authorizationCodeGrant,
+    ...restGrants
+  } = options.grants;
+  const grants = { ...restGrants };
+  if (authorizationCodeGrant) {
+    determineAuthorizationServerForCredentialOffer({
+      issuerMetadata: options.issuerMetadata,
+      grantAuthorizationServer: authorizationCodeGrant.authorization_server
+    });
+    grants[authorizationCodeGrantIdentifier] = authorizationCodeGrant;
+  }
+  if (preAuthorizedCodeGrant) {
+    determineAuthorizationServerForCredentialOffer({
+      issuerMetadata: options.issuerMetadata,
+      grantAuthorizationServer: preAuthorizedCodeGrant.authorization_server
+    });
+    grants[preAuthorizedCodeGrantIdentifier2] = {
+      ...preAuthorizedCodeGrant,
+      "pre-authorized_code": preAuthorizedCodeGrant["pre-authorized_code"] ?? encodeToBase64Url(await options.callbacks.generateRandom(32))
+    };
+    const txCode = grants[preAuthorizedCodeGrantIdentifier2].tx_code;
+    if (txCode && options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
+      grants[preAuthorizedCodeGrantIdentifier2].user_pin_required = txCode !== void 0;
+    }
+  }
+  const idsNotInMetadata = options.credentialConfigurationIds.filter(
+    (id) => options.issuerMetadata.credentialIssuer.credential_configurations_supported[id] === void 0
+  );
+  if (idsNotInMetadata.length > 0) {
+    throw new Oauth2Error(
+      `Credential configuration ids ${idsNotInMetadata} not found in the credential issuer metadata 'credential_configurations_supported'. Available ids are ${Object.keys(options.issuerMetadata.credentialIssuer.credential_configurations_supported).join(", ")}.`
+    );
+  }
+  const credentialOfferScheme = options.credentialOfferScheme ?? "openid-credential-offer://";
+  const credentialOfferObject = parseWithErrorHandling(zCredentialOfferObject, {
+    credential_issuer: options.issuerMetadata.credentialIssuer.credential_issuer,
+    credential_configuration_ids: options.credentialConfigurationIds,
+    grants,
+    ...options.additionalPayload
+  });
+  if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
+    credentialOfferObject.credentials = credentialOfferObject.credential_configuration_ids;
+  }
+  const url = new URL(credentialOfferScheme);
+  url.search = `?${new URLSearchParams([
+    ...url.searchParams.entries(),
+    ...objectToQueryParams({
+      credential_offer_uri: options.credentialOfferUri,
+      // Only add credential_offer is uri is undefined
+      credential_offer: options.credentialOfferUri ? void 0 : credentialOfferObject
+    }).entries()
+  ]).toString()}`;
+  return {
+    credentialOffer: url.toString(),
+    credentialOfferObject
+  };
+}
+
 // src/index.ts
 import { getGlobalConfig, setGlobalConfig } from "@openid4vc/utils";
 
@@ -5,54 +233,20 @@ import { getGlobalConfig, setGlobalConfig } from "@openid4vc/utils";
 import { arrayEqualsIgnoreOrder } from "@openid4vc/utils";
 
 // src/metadata/credential-issuer/credential-issuer-metadata.ts
-import { Oauth2Error, fetchWellKnownMetadata } from "@openid4vc/oauth2";
+import { Oauth2Error as Oauth2Error2, fetchWellKnownMetadata } from "@openid4vc/oauth2";
 import { joinUriParts } from "@openid4vc/utils";
 
 // src/metadata/credential-issuer/z-credential-issuer-metadata.ts
 import { zCompactJwt } from "@openid4vc/oauth2";
-import { zHttpsUrl } from "@openid4vc/utils";
-import z9 from "zod";
+import { zHttpsUrl as zHttpsUrl2 } from "@openid4vc/utils";
+import z12 from "zod";
 
 // src/formats/credential/mso-mdoc/z-mso-mdoc.ts
 import z3 from "zod";
 
-// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
+// src/metadata/credential-issuer/z-claims-description.ts
 import z2 from "zod";
-
-// src/key-attestation/z-key-attestation.ts
-import { zJwk, zJwtHeader, zJwtPayload } from "@openid4vc/oauth2";
-import { zInteger } from "@openid4vc/utils";
-import z from "zod";
-var zKeyAttestationJwtHeader = z.object({
-  ...zJwtHeader.shape,
-  typ: z.literal("keyattestation+jwt")
-}).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
-  message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
-}).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
-  message: `When 'trust_chain' is provided, 'kid' is required`
-});
-var zIso18045 = z.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
-var zIso18045OrStringArray = z.array(z.union([zIso18045, z.string()]));
-var zKeyAttestationJwtPayload = z.object({
-  ...zJwtPayload.shape,
-  iat: zInteger,
-  attested_keys: z.array(zJwk),
-  key_storage: z.optional(zIso18045OrStringArray),
-  user_authentication: z.optional(zIso18045OrStringArray),
-  certification: z.optional(z.string())
-}).passthrough();
-var zKeyAttestationJwtPayloadForUse = (use) => z.object({
-  ...zKeyAttestationJwtPayload.shape,
-  // REQUIRED when used as proof_type.attesation directly
-  nonce: use === "proof_type.attestation" ? z.string({
-    message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly`
-  }) : z.optional(z.string()),
-  // REQUIRED when used within header of proof_type.jwt
-  exp: use === "proof_type.jwt" ? zInteger : z.optional(zInteger)
-}).passthrough();
-
-// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
-var zCredentialConfigurationSupportedClaims = z2.object({
+var zCredentialConfigurationSupportedClaimsDraft14 = z2.object({
   mandatory: z2.boolean().optional(),
   value_type: z2.string().optional(),
   display: z2.object({
@@ -60,108 +254,117 @@ var zCredentialConfigurationSupportedClaims = z2.object({
     locale: z2.string().optional()
   }).passthrough().optional()
 }).passthrough();
-var zCredentialConfigurationSupportedCommon = z2.object({
-  format: z2.string(),
-  scope: z2.string().optional(),
-  cryptographic_binding_methods_supported: z2.array(z2.string()).optional(),
-  credential_signing_alg_values_supported: z2.array(z2.string()).optional(),
-  proof_types_supported: z2.record(
-    z2.union([z2.literal("jwt"), z2.literal("attestation"), z2.string()]),
-    z2.object({
-      proof_signing_alg_values_supported: z2.array(z2.string()),
-      key_attestations_required: z2.object({
-        key_storage: zIso18045OrStringArray.optional(),
-        user_authentication: zIso18045OrStringArray.optional()
-      }).passthrough().optional()
-    })
-  ).optional(),
+var zClaimsDescriptionPath = z2.array(z2.union([z2.string(), z2.number().int().nonnegative(), z2.null()])).nonempty();
+var zMsoMdocClaimsDescriptionPath = z2.tuple([z2.string(), z2.string()], {
+  message: "mso_mdoc claims description path MUST be an array with exactly two string elements, pointing to the namespace and element identifier within an mdoc credential"
+});
+var zIssuerMetadataClaimsDescription = z2.object({
+  path: zClaimsDescriptionPath,
+  mandatory: z2.boolean().optional(),
   display: z2.array(
     z2.object({
-      name: z2.string(),
-      locale: z2.string().optional(),
-      logo: z2.object({
-        // FIXME: make required again, but need to support draft 11 first
-        uri: z2.string().optional(),
-        alt_text: z2.string().optional()
-      }).passthrough().optional(),
-      description: z2.string().optional(),
-      background_color: z2.string().optional(),
-      background_image: z2.object({
-        // TODO: should be required, but paradym's metadata is wrong here.
-        uri: z2.string().optional()
-      }).passthrough().optional(),
-      text_color: z2.string().optional()
+      name: z2.string().optional(),
+      locale: z2.string().optional()
     }).passthrough()
   ).optional()
 }).passthrough();
+var zMsoMdocIssuerMetadataClaimsDescription = zIssuerMetadataClaimsDescription.extend({
+  path: zMsoMdocClaimsDescriptionPath
+});
 
 // src/formats/credential/mso-mdoc/z-mso-mdoc.ts
 var zMsoMdocFormatIdentifier = z3.literal("mso_mdoc");
 var zMsoMdocCredentialIssuerMetadata = z3.object({
   format: zMsoMdocFormatIdentifier,
   doctype: z3.string(),
-  claims: z3.optional(zCredentialConfigurationSupportedClaims),
+  claims: z3.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
+});
+var zMsoMdocCredentialIssuerMetadataDraft14 = z3.object({
+  format: zMsoMdocFormatIdentifier,
+  doctype: z3.string(),
+  claims: zCredentialConfigurationSupportedClaimsDraft14.optional(),
   order: z3.optional(z3.array(z3.string()))
 });
-var zMsoMdocCredentialRequestFormat = z3.object({
+var zMsoMdocCredentialRequestFormatDraft14 = z3.object({
   format: zMsoMdocFormatIdentifier,
   doctype: z3.string(),
-  claims: z3.optional(zCredentialConfigurationSupportedClaims)
+  // Format based request is removed in Draft 15, so only old claims syntax supported.
+  claims: z3.optional(zCredentialConfigurationSupportedClaimsDraft14)
 });
 
 // src/formats/credential/sd-jwt-vc/z-sd-jwt-vc.ts
 import z4 from "zod";
 var zSdJwtVcFormatIdentifier = z4.literal("vc+sd-jwt");
-var zSdJwtVcCredentialIssuerMetadata = z4.object({
+var zSdJwtVcCredentialIssuerMetadataDraft14 = z4.object({
   vct: z4.string(),
   format: zSdJwtVcFormatIdentifier,
-  claims: z4.optional(zCredentialConfigurationSupportedClaims),
+  claims: z4.optional(zCredentialConfigurationSupportedClaimsDraft14),
   order: z4.optional(z4.array(z4.string()))
 });
-var zSdJwtVcCredentialRequestFormat = z4.object({
+var zSdJwtVcCredentialRequestFormatDraft14 = z4.object({
   format: zSdJwtVcFormatIdentifier,
   vct: z4.string(),
-  claims: z4.optional(zCredentialConfigurationSupportedClaims)
+  claims: z4.optional(zCredentialConfigurationSupportedClaimsDraft14)
+});
+
+// src/formats/credential/sd-jwt-dc/z-sd-jwt-dc.ts
+import z5 from "zod";
+var zSdJwtDcFormatIdentifier = z5.literal("dc+sd-jwt");
+var zSdJwtDcCredentialIssuerMetadata = z5.object({
+  vct: z5.string(),
+  format: zSdJwtDcFormatIdentifier,
+  claims: z5.array(zIssuerMetadataClaimsDescription).optional()
 });
 
 // src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
-import z6 from "zod";
+import z7 from "zod";
 
 // src/formats/credential/w3c-vc/z-w3c-vc-common.ts
-import z5 from "zod";
-var zCredentialSubjectLeafType = z5.object({
-  mandatory: z5.boolean().optional(),
-  value_type: z5.string().optional(),
-  display: z5.array(
-    z5.object({
-      name: z5.string().optional(),
-      locale: z5.string().optional()
+import z6 from "zod";
+var zCredentialSubjectLeafTypeDraft14 = z6.object({
+  mandatory: z6.boolean().optional(),
+  value_type: z6.string().optional(),
+  display: z6.array(
+    z6.object({
+      name: z6.string().optional(),
+      locale: z6.string().optional()
     }).passthrough()
   ).optional()
 }).passthrough();
-var zClaimValueSchema = z5.union([z5.array(z5.any()), z5.record(z5.string(), z5.any()), zCredentialSubjectLeafType]);
-var zW3cVcCredentialSubject = z5.record(z5.string(), zClaimValueSchema);
-var zW3cVcJsonLdCredentialDefinition = z5.object({
-  "@context": z5.array(z5.string()),
-  type: z5.array(z5.string()),
-  credentialSubject: zW3cVcCredentialSubject.optional()
+var zClaimValueSchemaDraft14 = z6.union([
+  z6.array(z6.any()),
+  z6.record(z6.string(), z6.any()),
+  zCredentialSubjectLeafTypeDraft14
+]);
+var zW3cVcCredentialSubjectDraft14 = z6.record(z6.string(), zClaimValueSchemaDraft14);
+var zW3cVcJsonLdCredentialDefinition = z6.object({
+  "@context": z6.array(z6.string()),
+  type: z6.array(z6.string())
 }).passthrough();
+var zW3cVcJsonLdCredentialDefinitionDraft14 = zW3cVcJsonLdCredentialDefinition.extend({
+  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
+});
 
 // src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
-var zLdpVcFormatIdentifier = z6.literal("ldp_vc");
-var zLdpVcCredentialIssuerMetadata = z6.object({
+var zLdpVcFormatIdentifier = z7.literal("ldp_vc");
+var zLdpVcCredentialIssuerMetadata = z7.object({
   format: zLdpVcFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition,
-  order: z6.array(z6.string()).optional()
+  claims: zIssuerMetadataClaimsDescription.optional()
+});
+var zLdpVcCredentialIssuerMetadataDraft14 = z7.object({
+  format: zLdpVcFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
+  order: z7.array(z7.string()).optional()
 });
-var zLdpVcCredentialIssuerMetadataDraft11 = z6.object({
-  order: z6.array(z6.string()).optional(),
+var zLdpVcCredentialIssuerMetadataDraft11 = z7.object({
+  order: z7.array(z7.string()).optional(),
   format: zLdpVcFormatIdentifier,
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
-  "@context": z6.array(z6.string()),
-  types: z6.array(z6.string()),
-  credentialSubject: zW3cVcCredentialSubject.optional()
+  "@context": z7.array(z7.string()),
+  types: z7.array(z7.string()),
+  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDraft11.transform(
   ({ "@context": context, types, credentialSubject, ...rest }) => ({
@@ -174,22 +377,22 @@ var zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDr
     }
   })
 );
-var zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+var zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
   ...rest,
   ...credentialDefinition,
   types: type
 })).pipe(zLdpVcCredentialIssuerMetadataDraft11);
-var zLdpVcCredentialRequestFormat = z6.object({
+var zLdpVcCredentialRequestFormatDraft14 = z7.object({
   format: zLdpVcFormatIdentifier,
-  credential_definition: zW3cVcJsonLdCredentialDefinition
+  credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14
 });
-var zLdpVcCredentialRequestDraft11 = z6.object({
+var zLdpVcCredentialRequestDraft11 = z7.object({
   format: zLdpVcFormatIdentifier,
-  credential_definition: z6.object({
-    "@context": z6.array(z6.string()),
+  credential_definition: z7.object({
+    "@context": z7.array(z7.string()),
     // credential_definition was using types instead of type in v11
-    types: z6.array(z6.string()),
-    credentialSubject: zW3cVcCredentialSubject.optional()
+    types: z7.array(z7.string()),
+    credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
   })
 }).passthrough();
 var zLdpVcCredentialRequestDraft11To14 = zLdpVcCredentialRequestDraft11.transform(
@@ -201,7 +404,7 @@ var zLdpVcCredentialRequestDraft11To14 = zLdpVcCredentialRequestDraft11.transfor
     }
   })
 );
-var zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
+var zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
   ...rest,
   credential_definition: {
     ...restCredentialDefinition,
@@ -210,21 +413,26 @@ var zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormat.passthrou
 })).pipe(zLdpVcCredentialRequestDraft11);
 
 // src/formats/credential/w3c-vc/z-w3c-jwt-vc-json-ld.ts
-import z7 from "zod";
-var zJwtVcJsonLdFormatIdentifier = z7.literal("jwt_vc_json-ld");
-var zJwtVcJsonLdCredentialIssuerMetadata = z7.object({
+import z8 from "zod";
+var zJwtVcJsonLdFormatIdentifier = z8.literal("jwt_vc_json-ld");
+var zJwtVcJsonLdCredentialIssuerMetadata = z8.object({
   format: zJwtVcJsonLdFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition,
-  order: z7.optional(z7.array(z7.string()))
+  claims: zIssuerMetadataClaimsDescription.optional()
 });
-var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = z7.object({
-  order: z7.array(z7.string()).optional(),
+var zJwtVcJsonLdCredentialIssuerMetadataDraft14 = z8.object({
+  format: zJwtVcJsonLdFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
+  order: z8.optional(z8.array(z8.string()))
+});
+var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = z8.object({
+  order: z8.array(z8.string()).optional(),
   format: zJwtVcJsonLdFormatIdentifier,
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
-  "@context": z7.array(z7.string()),
-  types: z7.array(z7.string()),
-  credentialSubject: zW3cVcCredentialSubject.optional()
+  "@context": z8.array(z8.string()),
+  types: z8.array(z8.string()),
+  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssuerMetadataDraft11.transform(
   ({ "@context": context, types, credentialSubject, ...rest }) => ({
@@ -237,22 +445,22 @@ var zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssu
     }
   })
 );
-var zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+var zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
   ...rest,
   ...credentialDefinition,
   types: type
 })).pipe(zJwtVcJsonLdCredentialIssuerMetadataDraft11);
-var zJwtVcJsonLdCredentialRequestFormat = z7.object({
+var zJwtVcJsonLdCredentialRequestFormatDraft14 = z8.object({
   format: zJwtVcJsonLdFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition
 });
-var zJwtVcJsonLdCredentialRequestDraft11 = z7.object({
+var zJwtVcJsonLdCredentialRequestDraft11 = z8.object({
   format: zJwtVcJsonLdFormatIdentifier,
-  credential_definition: z7.object({
-    "@context": z7.array(z7.string()),
+  credential_definition: z8.object({
+    "@context": z8.array(z8.string()),
     // credential_definition was using types instead of type in v11
-    types: z7.array(z7.string()),
-    credentialSubject: z7.optional(zW3cVcCredentialSubject)
+    types: z8.array(z8.string()),
+    credentialSubject: z8.optional(zW3cVcCredentialSubjectDraft14)
   }).passthrough()
 }).passthrough();
 var zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraft11.transform(
@@ -264,7 +472,7 @@ var zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraf
     }
   })
 );
-var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
+var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type, ...restCredentialDefinition }, ...rest }) => ({
   ...rest,
   credential_definition: {
     ...restCredentialDefinition,
@@ -273,24 +481,31 @@ var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestForm
 })).pipe(zJwtVcJsonLdCredentialRequestDraft11);
 
 // src/formats/credential/w3c-vc/z-w3c-jwt-vc-json.ts
-import z8 from "zod";
-var zJwtVcJsonFormatIdentifier = z8.literal("jwt_vc_json");
-var zJwtVcJsonCredentialDefinition = z8.object({
-  type: z8.array(z8.string()),
-  credentialSubject: zW3cVcCredentialSubject.optional()
+import z9 from "zod";
+var zJwtVcJsonFormatIdentifier = z9.literal("jwt_vc_json");
+var zJwtVcJsonCredentialDefinition = z9.object({
+  type: z9.array(z9.string())
 }).passthrough();
-var zJwtVcJsonCredentialIssuerMetadata = z8.object({
+var zJwtVcJsonCredentialDefinitionDraft14 = zJwtVcJsonCredentialDefinition.extend({
+  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
+});
+var zJwtVcJsonCredentialIssuerMetadata = z9.object({
   format: zJwtVcJsonFormatIdentifier,
   credential_definition: zJwtVcJsonCredentialDefinition,
-  order: z8.array(z8.string()).optional()
+  claims: zIssuerMetadataClaimsDescription.optional()
 });
-var zJwtVcJsonCredentialIssuerMetadataDraft11 = z8.object({
+var zJwtVcJsonCredentialIssuerMetadataDraft14 = z9.object({
   format: zJwtVcJsonFormatIdentifier,
-  order: z8.array(z8.string()).optional(),
+  credential_definition: zJwtVcJsonCredentialDefinitionDraft14,
+  order: z9.array(z9.string()).optional()
+});
+var zJwtVcJsonCredentialIssuerMetadataDraft11 = z9.object({
+  format: zJwtVcJsonFormatIdentifier,
+  order: z9.array(z9.string()).optional(),
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
-  types: z8.array(z8.string()),
-  credentialSubject: zW3cVcCredentialSubject.optional()
+  types: z9.array(z9.string()),
+  credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMetadataDraft11.transform(
   ({ types, credentialSubject, ...rest }) => ({
@@ -302,21 +517,21 @@ var zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMe
     }
   })
 );
-var zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMetadata.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+var zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
   ...rest,
   types: type,
   ...credentialDefinition
 })).pipe(zJwtVcJsonCredentialIssuerMetadataDraft11);
-var zJwtVcJsonCredentialRequestFormat = z8.object({
+var zJwtVcJsonCredentialRequestFormatDraft14 = z9.object({
   format: zJwtVcJsonFormatIdentifier,
   credential_definition: zJwtVcJsonCredentialDefinition
 });
-var zJwtVcJsonCredentialRequestDraft11 = z8.object({
+var zJwtVcJsonCredentialRequestDraft11 = z9.object({
   format: zJwtVcJsonFormatIdentifier,
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
-  types: z8.array(z8.string()),
-  credentialSubject: z8.optional(zW3cVcCredentialSubject)
+  types: z9.array(z9.string()),
+  credentialSubject: z9.optional(zW3cVcCredentialSubjectDraft14)
 }).passthrough();
 var zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.transform(
   ({ types, credentialSubject, ...rest }) => {
@@ -330,26 +545,98 @@ var zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.
     };
   }
 );
-var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormat.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
+var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type, ...credentialDefinition }, ...rest }) => ({
   ...rest,
   types: type,
   ...credentialDefinition
 })).pipe(zJwtVcJsonCredentialRequestDraft11);
 
-// src/version.ts
-var Openid4vciDraftVersion = /* @__PURE__ */ ((Openid4vciDraftVersion2) => {
-  Openid4vciDraftVersion2["Draft14"] = "Draft14";
-  Openid4vciDraftVersion2["Draft11"] = "Draft11";
-  return Openid4vciDraftVersion2;
-})(Openid4vciDraftVersion || {});
+// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
+import z11 from "zod";
+
+// src/key-attestation/z-key-attestation.ts
+import { zJwk, zJwtHeader, zJwtPayload } from "@openid4vc/oauth2";
+import { zInteger } from "@openid4vc/utils";
+import z10 from "zod";
+var zKeyAttestationJwtHeader = z10.object({
+  ...zJwtHeader.shape,
+  typ: z10.literal("keyattestation+jwt").or(
+    // Draft 16
+    z10.literal("key-attestation+jwt")
+  )
+}).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
+  message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
+}).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
+  message: `When 'trust_chain' is provided, 'kid' is required`
+});
+var zIso18045 = z10.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
+var zIso18045OrStringArray = z10.array(z10.union([zIso18045, z10.string()]));
+var zKeyAttestationJwtPayload = z10.object({
+  ...zJwtPayload.shape,
+  iat: zInteger,
+  attested_keys: z10.array(zJwk),
+  key_storage: z10.optional(zIso18045OrStringArray),
+  user_authentication: z10.optional(zIso18045OrStringArray),
+  certification: z10.optional(z10.string().url())
+}).passthrough();
+var zKeyAttestationJwtPayloadForUse = (use) => z10.object({
+  ...zKeyAttestationJwtPayload.shape,
+  // REQUIRED when used as proof_type.attesation directly
+  nonce: use === "proof_type.attestation" ? z10.string({
+    message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly`
+  }) : z10.optional(z10.string()),
+  // REQUIRED when used within header of proof_type.jwt
+  exp: use === "proof_type.jwt" ? zInteger : z10.optional(zInteger)
+}).passthrough();
+
+// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
+var zCredentialConfigurationSupportedCommon = z11.object({
+  format: z11.string(),
+  scope: z11.string().optional(),
+  cryptographic_binding_methods_supported: z11.array(z11.string()).optional(),
+  credential_signing_alg_values_supported: z11.array(z11.string()).optional(),
+  proof_types_supported: z11.record(
+    z11.union([z11.literal("jwt"), z11.literal("attestation"), z11.string()]),
+    z11.object({
+      proof_signing_alg_values_supported: z11.array(z11.string()),
+      key_attestations_required: z11.object({
+        key_storage: zIso18045OrStringArray.optional(),
+        user_authentication: zIso18045OrStringArray.optional()
+      }).passthrough().optional()
+    })
+  ).optional(),
+  display: z11.array(
+    z11.object({
+      name: z11.string(),
+      locale: z11.string().optional(),
+      logo: z11.object({
+        // FIXME: make required again, but need to support draft 11 first
+        uri: z11.string().optional(),
+        alt_text: z11.string().optional()
+      }).passthrough().optional(),
+      description: z11.string().optional(),
+      background_color: z11.string().optional(),
+      background_image: z11.object({
+        // TODO: should be required, but paradym's metadata is wrong here.
+        uri: z11.string().optional()
+      }).passthrough().optional(),
+      text_color: z11.string().optional()
+    }).passthrough()
+  ).optional()
+}).passthrough();
 
 // src/metadata/credential-issuer/z-credential-issuer-metadata.ts
 var allCredentialIssuerMetadataFormats = [
-  zSdJwtVcCredentialIssuerMetadata,
+  zSdJwtDcCredentialIssuerMetadata,
   zMsoMdocCredentialIssuerMetadata,
   zJwtVcJsonLdCredentialIssuerMetadata,
   zLdpVcCredentialIssuerMetadata,
-  zJwtVcJsonCredentialIssuerMetadata
+  zJwtVcJsonCredentialIssuerMetadata,
+  zMsoMdocCredentialIssuerMetadataDraft14,
+  zSdJwtVcCredentialIssuerMetadataDraft14,
+  zJwtVcJsonLdCredentialIssuerMetadataDraft14,
+  zLdpVcCredentialIssuerMetadataDraft14,
+  zJwtVcJsonCredentialIssuerMetadataDraft14
 ];
 var allCredentialIssuerMetadataFormatIdentifiers = allCredentialIssuerMetadataFormats.map(
   (format) => format.shape.format.value
@@ -357,56 +644,69 @@ var allCredentialIssuerMetadataFormatIdentifiers = allCredentialIssuerMetadataFo
 var zCredentialConfigurationSupportedWithFormats = zCredentialConfigurationSupportedCommon.transform(
   (data, ctx) => {
     if (!allCredentialIssuerMetadataFormatIdentifiers.includes(data.format)) return data;
-    const result = z9.object({}).passthrough().and(z9.discriminatedUnion("format", allCredentialIssuerMetadataFormats)).safeParse(data);
+    const validators = allCredentialIssuerMetadataFormats.reduce(
+      (validators2, formatValidator) => {
+        const format = formatValidator.shape.format.value;
+        if (!validators2[format]) {
+          validators2[format] = [];
+        }
+        validators2[format].push(formatValidator);
+        return validators2;
+      },
+      {}
+    )[data.format];
+    const result = z12.object({}).passthrough().and(
+      validators.length > 1 ? z12.union(validators) : validators[0]
+    ).safeParse(data);
     if (result.success) {
       return result.data;
     }
     for (const issue of result.error.issues) {
       ctx.addIssue(issue);
     }
-    return z9.NEVER;
+    return z12.NEVER;
   }
 );
-var zCredentialIssuerMetadataDisplayEntry = z9.object({
-  name: z9.string().optional(),
-  locale: z9.string().optional(),
-  logo: z9.object({
+var zCredentialIssuerMetadataDisplayEntry = z12.object({
+  name: z12.string().optional(),
+  locale: z12.string().optional(),
+  logo: z12.object({
     // FIXME: make required again, but need to support draft 11 first
-    uri: z9.string().optional(),
-    alt_text: z9.string().optional()
+    uri: z12.string().optional(),
+    alt_text: z12.string().optional()
   }).passthrough().optional()
 }).passthrough();
-var zCredentialIssuerMetadataDraft14 = z9.object({
-  credential_issuer: zHttpsUrl,
-  authorization_servers: z9.array(zHttpsUrl).optional(),
-  credential_endpoint: zHttpsUrl,
-  deferred_credential_endpoint: zHttpsUrl.optional(),
-  notification_endpoint: zHttpsUrl.optional(),
+var zCredentialIssuerMetadataDraft14Draft15 = z12.object({
+  credential_issuer: zHttpsUrl2,
+  authorization_servers: z12.array(zHttpsUrl2).optional(),
+  credential_endpoint: zHttpsUrl2,
+  deferred_credential_endpoint: zHttpsUrl2.optional(),
+  notification_endpoint: zHttpsUrl2.optional(),
   // Added after draft 14, but needed for proper
-  nonce_endpoint: zHttpsUrl.optional(),
-  credential_response_encryption: z9.object({
-    alg_values_supported: z9.array(z9.string()),
-    enc_values_supported: z9.array(z9.string()),
-    encryption_required: z9.boolean()
+  nonce_endpoint: zHttpsUrl2.optional(),
+  credential_response_encryption: z12.object({
+    alg_values_supported: z12.array(z12.string()),
+    enc_values_supported: z12.array(z12.string()),
+    encryption_required: z12.boolean()
   }).passthrough().optional(),
-  batch_credential_issuance: z9.object({
-    batch_size: z9.number().positive()
+  batch_credential_issuance: z12.object({
+    batch_size: z12.number().positive()
   }).passthrough().optional(),
   signed_metadata: zCompactJwt.optional(),
-  display: z9.array(zCredentialIssuerMetadataDisplayEntry).optional(),
-  credential_configurations_supported: z9.record(z9.string(), zCredentialConfigurationSupportedWithFormats)
+  display: z12.array(zCredentialIssuerMetadataDisplayEntry).optional(),
+  credential_configurations_supported: z12.record(z12.string(), zCredentialConfigurationSupportedWithFormats)
 }).passthrough();
-var zCredentialConfigurationSupportedDraft11To14 = z9.object({
-  id: z9.string().optional(),
-  format: z9.string(),
-  cryptographic_suites_supported: z9.array(z9.string()).optional(),
-  display: z9.array(
-    z9.object({
-      logo: z9.object({
-        url: z9.string().url().optional()
+var zCredentialConfigurationSupportedDraft11To14 = z12.object({
+  id: z12.string().optional(),
+  format: z12.string(),
+  cryptographic_suites_supported: z12.array(z12.string()).optional(),
+  display: z12.array(
+    z12.object({
+      logo: z12.object({
+        url: z12.string().url().optional()
       }).passthrough().optional(),
-      background_image: z9.object({
-        url: z9.string().url().optional()
+      background_image: z12.object({
+        url: z12.string().url().optional()
       }).passthrough().optional()
     }).passthrough()
   ).optional()
@@ -447,11 +747,11 @@ var zCredentialConfigurationSupportedDraft11To14 = z9.object({
   for (const issue of result.error.issues) {
     ctx.addIssue(issue);
   }
-  return z9.NEVER;
+  return z12.NEVER;
 }).pipe(zCredentialConfigurationSupportedWithFormats);
 var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSupportedWithFormats.and(
-  z9.object({
-    id: z9.string()
+  z12.object({
+    id: z12.string()
   }).passthrough()
 ).transform(({ id, credential_signing_alg_values_supported, display, proof_types_supported, scope, ...rest }) => ({
   ...rest,
@@ -471,15 +771,15 @@ var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSuppo
   } : {},
   id
 })).pipe(
-  z9.union([
+  z12.union([
     zLdpVcCredentialIssuerMetadataDraft14To11,
     zJwtVcJsonCredentialIssuerMetadataDraft14To11,
     zJwtVcJsonLdCredentialIssuerMetadataDraft14To11,
     // To handle unrecognized formats and not error immediately we allow the common format as well
     // but they can't use any of the foramt identifiers that have a specific transformation. This way if a format is
     // has a transformation it NEEDS to use the format specific transformation, and otherwise we fall back to the common validation
-    z9.object({
-      format: z9.string().refine(
+    z12.object({
+      format: z12.string().refine(
         (input) => ![
           zLdpVcFormatIdentifier.value,
           zJwtVcJsonFormatIdentifier.value,
@@ -489,11 +789,11 @@ var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSuppo
     }).passthrough()
   ])
 );
-var zCredentialIssuerMetadataDraft11To14 = z9.object({
-  authorization_server: z9.string().optional(),
-  credentials_supported: z9.array(
-    z9.object({
-      id: z9.string().optional()
+var zCredentialIssuerMetadataDraft11To14 = z12.object({
+  authorization_server: z12.string().optional(),
+  credentials_supported: z12.array(
+    z12.object({
+      id: z12.string().optional()
     }).passthrough()
   )
 }).passthrough().transform(({ authorization_server, credentials_supported, ...rest }) => {
@@ -506,12 +806,12 @@ var zCredentialIssuerMetadataDraft11To14 = z9.object({
     )
   };
 }).pipe(
-  z9.object({
+  z12.object({
     // Update from v11 structrue to v14 structure
-    credential_configurations_supported: z9.record(z9.string(), zCredentialConfigurationSupportedDraft11To14)
+    credential_configurations_supported: z12.record(z12.string(), zCredentialConfigurationSupportedDraft11To14)
   }).passthrough()
-).pipe(zCredentialIssuerMetadataDraft14);
-var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14.transform((issuerMetadata) => ({
+).pipe(zCredentialIssuerMetadataDraft14Draft15);
+var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15.transform((issuerMetadata) => ({
   ...issuerMetadata,
   ...issuerMetadata.authorization_servers ? { authorization_server: issuerMetadata.authorization_servers[0] } : {},
   credentials_supported: Object.entries(issuerMetadata.credential_configurations_supported).map(([id, value]) => ({
@@ -519,22 +819,35 @@ var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14.tran
     id
   }))
 })).pipe(
-  zCredentialIssuerMetadataDraft14.extend({
-    credentials_supported: z9.array(zCredentialConfigurationSupportedDraft14To11)
+  zCredentialIssuerMetadataDraft14Draft15.extend({
+    credentials_supported: z12.array(zCredentialConfigurationSupportedDraft14To11)
   })
 );
-var zCredentialIssuerMetadata = z9.union([
-  // First prioritize draft 14 (and 13)
-  zCredentialIssuerMetadataDraft14,
+var zCredentialIssuerMetadata = z12.union([
+  // First prioritize draft 15/14 (and 13)
+  zCredentialIssuerMetadataDraft14Draft15,
   // Then try parsing draft 11 and transform into draft 14
   zCredentialIssuerMetadataDraft11To14
 ]);
-var zCredentialIssuerMetadataWithDraftVersion = z9.union([
-  // First prioritize draft 14 (and 13)
-  zCredentialIssuerMetadataDraft14.transform((credentialIssuerMetadata) => ({
-    credentialIssuerMetadata,
-    originalDraftVersion: "Draft14" /* Draft14 */
-  })),
+var zCredentialIssuerMetadataWithDraftVersion = z12.union([
+  zCredentialIssuerMetadataDraft14Draft15.transform((credentialIssuerMetadata) => {
+    const isDraft15 = Object.values(credentialIssuerMetadata.credential_configurations_supported).some(
+      (configuration) => {
+        const knownConfiguration = configuration;
+        if (knownConfiguration.format === zSdJwtDcFormatIdentifier.value) return true;
+        if (Array.isArray(knownConfiguration.claims)) return true;
+        if (Object.values(knownConfiguration.proof_types_supported ?? {}).some(
+          (proofType) => proofType.key_attestations_required !== void 0
+        ))
+          return true;
+        return false;
+      }
+    );
+    return {
+      credentialIssuerMetadata,
+      originalDraftVersion: isDraft15 ? "Draft15" /* Draft15 */ : "Draft14" /* Draft14 */
+    };
+  }),
   // Then try parsing draft 11 and transform into draft 14
   zCredentialIssuerMetadataDraft11To14.transform((credentialIssuerMetadata) => ({
     credentialIssuerMetadata,
@@ -548,7 +861,7 @@ async function fetchCredentialIssuerMetadata(credentialIssuer, fetch) {
   const wellKnownMetadataUrl = joinUriParts(credentialIssuer, [wellKnownCredentialIssuerSuffix]);
   const result = await fetchWellKnownMetadata(wellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
   if (result && result.credentialIssuerMetadata.credential_issuer !== credentialIssuer) {
-    throw new Oauth2Error(
+    throw new Oauth2Error2(
       `The 'credential_issuer' parameter '${result.credentialIssuerMetadata.credential_issuer}' in the well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`
     );
   }
@@ -561,6 +874,15 @@ function extractKnownCredentialConfigurationSupportedFormats(credentialConfigura
     )
   );
 }
+function getCredentialConfigurationSupportedById(credentialConfigurations, credentialConfigurationId) {
+  const configuration = credentialConfigurations[credentialConfigurationId];
+  if (!configuration) {
+    throw new Oauth2Error2(
+      `Credential configuration with id '${credentialConfigurationId}' not found in credential configurations supported.`
+    );
+  }
+  return configuration;
+}
 
 // src/credential-request/credential-request-configurations.ts
 function getCredentialConfigurationsMatchingRequestFormat({
@@ -619,302 +941,132 @@ var Openid4vciSendNotificationError = class extends Openid4vciError {
   }
 };
 
-// src/metadata/credential-issuer/credential-configurations.ts
-import { Oauth2Error as Oauth2Error2 } from "@openid4vc/oauth2";
-import { ValidationError } from "@openid4vc/utils";
-function extractScopesForCredentialConfigurationIds(options) {
-  const scopes = /* @__PURE__ */ new Set();
-  for (const credentialConfigurationId of options.credentialConfigurationIds) {
-    const credentialConfiguration = options.issuerMetadata.credentialIssuer.credential_configurations_supported[credentialConfigurationId];
-    if (!credentialConfiguration) {
-      throw new Oauth2Error2(
-        `Credential configuration with id '${credentialConfigurationId}' not found in metadata from credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
-      );
-    }
-    const scope = credentialConfiguration.scope;
-    if (scope) scopes.add(scope);
-    else if (!scope && options.throwOnConfigurationWithoutScope) {
-      throw new Oauth2Error2(
-        `Credential configuration with id '${credentialConfigurationId}' does not have a 'scope' configured, and 'throwOnConfigurationWithoutScope' was enabled.`
-      );
-    }
-  }
-  return scopes.size > 0 ? Array.from(scopes) : void 0;
-}
-function credentialsSupportedToCredentialConfigurationsSupported(credentialsSupported) {
-  const credentialConfigurationsSupported = {};
-  for (let index = 0; index < credentialsSupported.length; index++) {
-    const credentialSupported = credentialsSupported[index];
-    if (!credentialSupported.id) {
-      throw new Openid4vciError(
-        `Credential supported at index '${index}' does not have an 'id' property. Credential configuration requires the 'id' property as key`
-      );
-    }
-    const parseResult = zCredentialConfigurationSupportedDraft11To14.safeParse(credentialSupported);
-    if (!parseResult.success) {
-      throw new ValidationError(
-        `Error transforming credential supported with id '${credentialSupported.id}' to credential configuration supported format`,
-        parseResult.error
-      );
-    }
-    credentialConfigurationsSupported[credentialSupported.id] = parseResult.data;
-  }
-  return credentialConfigurationsSupported;
+// src/key-attestation/key-attestation.ts
+import { decodeJwt, jwtHeaderFromJwtSigner } from "@openid4vc/oauth2";
+import { jwtSignerFromJwt, verifyJwt } from "@openid4vc/oauth2";
+import { dateToSeconds, parseWithErrorHandling as parseWithErrorHandling2 } from "@openid4vc/utils";
+async function createKeyAttestationJwt(options) {
+  const header = parseWithErrorHandling2(zKeyAttestationJwtHeader, {
+    ...jwtHeaderFromJwtSigner(options.signer),
+    typ: "keyattestation+jwt"
+  });
+  const payload = parseWithErrorHandling2(zKeyAttestationJwtPayloadForUse(options.use), {
+    iat: dateToSeconds(options.issuedAt),
+    exp: options.expiresAt ? dateToSeconds(options.expiresAt) : void 0,
+    nonce: options.nonce,
+    attested_keys: options.attestedKeys,
+    user_authentication: options.userAuthentication,
+    key_storage: options.keyStorage,
+    certification: options.certification,
+    ...options.additionalPayload
+  });
+  const { jwt } = await options.callbacks.signJwt(options.signer, { header, payload });
+  return jwt;
 }
-
-// src/Openid4vciClient.ts
-import {
-  Oauth2Client,
-  Oauth2ClientAuthorizationChallengeError,
-  Oauth2Error as Oauth2Error7,
-  Oauth2ErrorCodes as Oauth2ErrorCodes2,
-  authorizationCodeGrantIdentifier as authorizationCodeGrantIdentifier2,
-  getAuthorizationServerMetadataFromList as getAuthorizationServerMetadataFromList2,
-  preAuthorizedCodeGrantIdentifier as preAuthorizedCodeGrantIdentifier3
-} from "@openid4vc/oauth2";
-
-// src/credential-offer/credential-offer.ts
-import {
-  InvalidFetchResponseError,
-  Oauth2Error as Oauth2Error3,
-  authorizationCodeGrantIdentifier,
-  getAuthorizationServerMetadataFromList,
-  preAuthorizedCodeGrantIdentifier as preAuthorizedCodeGrantIdentifier2
-} from "@openid4vc/oauth2";
-import {
-  ContentType,
-  URL,
-  URLSearchParams,
-  ValidationError as ValidationError2,
-  createZodFetcher,
-  encodeToBase64Url,
-  getQueryParams,
-  objectToQueryParams,
-  parseWithErrorHandling
-} from "@openid4vc/utils";
-
-// src/credential-offer/z-credential-offer.ts
-import {
-  preAuthorizedCodeGrantIdentifier
-} from "@openid4vc/oauth2";
-import { zHttpsUrl as zHttpsUrl2 } from "@openid4vc/utils";
-import z10 from "zod";
-var zTxCode = z10.object({
-  input_mode: z10.union([z10.literal("numeric"), z10.literal("text")]).optional(),
-  length: z10.number().int().optional(),
-  description: z10.string().max(300).optional()
-}).passthrough();
-var zCredentialOfferGrants = z10.object({
-  authorization_code: z10.object({
-    issuer_state: z10.string().optional(),
-    authorization_server: zHttpsUrl2.optional()
-  }).passthrough().optional(),
-  [preAuthorizedCodeGrantIdentifier]: z10.object({
-    "pre-authorized_code": z10.string(),
-    tx_code: zTxCode.optional(),
-    authorization_server: zHttpsUrl2.optional()
-  }).passthrough().optional()
-}).passthrough();
-var zCredentialOfferObjectDraft14 = z10.object({
-  credential_issuer: zHttpsUrl2,
-  credential_configuration_ids: z10.array(z10.string()),
-  grants: z10.optional(zCredentialOfferGrants)
-}).passthrough();
-var zCredentialOfferObjectDraft11To14 = z10.object({
-  credential_issuer: zHttpsUrl2,
-  // We don't support the inline offer objects from draft 11
-  credentials: z10.array(
-    z10.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })
-  ),
-  grants: z10.optional(
-    z10.object({
-      // Has extra param in draft 14, but doesn't matter for transform purposes
-      authorization_code: zCredentialOfferGrants.shape.authorization_code,
-      [preAuthorizedCodeGrantIdentifier]: z10.object({
-        "pre-authorized_code": z10.string(),
-        user_pin_required: z10.optional(z10.boolean())
-      }).passthrough().optional()
-    })
-  )
-}).passthrough().transform(({ credentials, grants, ...rest }) => {
-  const v14 = {
-    ...rest,
-    credential_configuration_ids: credentials
-  };
-  if (grants) {
-    v14.grants = { ...grants };
-    if (grants[preAuthorizedCodeGrantIdentifier]) {
-      const { user_pin_required, ...restGrants } = grants[preAuthorizedCodeGrantIdentifier];
-      v14.grants[preAuthorizedCodeGrantIdentifier] = {
-        ...restGrants
-      };
-      if (user_pin_required) {
-        v14.grants[preAuthorizedCodeGrantIdentifier].tx_code = {
-          input_mode: "text"
-        };
-      }
-    }
-  }
-  return v14;
-}).pipe(zCredentialOfferObjectDraft14);
-var zCredentialOfferObject = z10.union([
-  // First prioritize draft 14 (and 13)
-  zCredentialOfferObjectDraft14,
-  // Then try parsing draft 11 and transform into draft 14
-  zCredentialOfferObjectDraft11To14
-]);
-
-// src/credential-offer/credential-offer.ts
-async function resolveCredentialOffer(credentialOffer, options) {
-  const parsedQueryParams = getQueryParams(credentialOffer);
-  let credentialOfferParseResult;
-  if (parsedQueryParams.credential_offer_uri) {
-    const fetchWithZod = createZodFetcher(options?.fetch);
-    const { response, result } = await fetchWithZod(
-      zCredentialOfferObject,
-      ContentType.Json,
-      parsedQueryParams.credential_offer_uri
-    );
-    if (!response.ok || !result) {
-      throw new InvalidFetchResponseError(
-        `Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccesfull response with status '${response.status}'`,
-        await response.clone().text(),
-        response
-      );
-    }
-    credentialOfferParseResult = result;
-  } else if (parsedQueryParams.credential_offer) {
-    let credentialOfferJson;
-    try {
-      credentialOfferJson = JSON.parse(decodeURIComponent(parsedQueryParams.credential_offer));
-    } catch (error) {
-      throw new Oauth2Error3(`Error parsing JSON from 'credential_offer' param in credential offer '${credentialOffer}'`);
-    }
-    credentialOfferParseResult = zCredentialOfferObject.safeParse(credentialOfferJson);
-  } else {
-    throw new Oauth2Error3(`Credential offer did not contain either 'credential_offer' or 'credential_offer_uri' param.`);
-  }
-  if (credentialOfferParseResult.error) {
-    throw new ValidationError2(
-      `Error parsing credential offer in draft 11, 13 or 14 format extracted from credential offer '${credentialOffer}'`,
-      credentialOfferParseResult.error
-    );
+function parseKeyAttestationJwt({ keyAttestationJwt, use }) {
+  return decodeJwt({
+    jwt: keyAttestationJwt,
+    headerSchema: zKeyAttestationJwtHeader,
+    payloadSchema: zKeyAttestationJwtPayloadForUse(use)
+  });
+}
+async function verifyKeyAttestationJwt(options) {
+  const { header, payload } = parseKeyAttestationJwt({ keyAttestationJwt: options.keyAttestationJwt, use: options.use });
+  const now = options.now?.getTime() ?? Date.now();
+  if (options.nonceExpiresAt && now > options.nonceExpiresAt.getTime()) {
+    throw new Openid4vciError("Nonce used for key attestation jwt expired");
   }
-  return credentialOfferParseResult.data;
+  const { signer } = await verifyJwt({
+    compact: options.keyAttestationJwt,
+    header,
+    payload,
+    signer: jwtSignerFromJwt({ header, payload }),
+    verifyJwtCallback: options.callbacks.verifyJwt,
+    errorMessage: "Error verifiying key attestation jwt",
+    expectedNonce: options.expectedNonce,
+    now: options.now
+  });
+  return {
+    header,
+    payload,
+    signer
+  };
 }
-function determineAuthorizationServerForCredentialOffer(options) {
-  const authorizationServers = options.issuerMetadata.credentialIssuer.authorization_servers;
-  let authorizationServer;
-  if (options.grantAuthorizationServer) {
-    authorizationServer = options.grantAuthorizationServer;
-    if (!authorizationServers) {
-      throw new Oauth2Error3(
-        `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not have an 'authorization_servers' property to match the value against.`
-      );
-    }
-    if (!authorizationServers.includes(authorizationServer)) {
+
+// src/metadata/credential-issuer/credential-configurations.ts
+import { Oauth2Error as Oauth2Error3 } from "@openid4vc/oauth2";
+import { ValidationError as ValidationError2 } from "@openid4vc/utils";
+function extractScopesForCredentialConfigurationIds(options) {
+  const scopes = /* @__PURE__ */ new Set();
+  for (const credentialConfigurationId of options.credentialConfigurationIds) {
+    const credentialConfiguration = options.issuerMetadata.credentialIssuer.credential_configurations_supported[credentialConfigurationId];
+    if (!credentialConfiguration) {
       throw new Oauth2Error3(
-        `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not include this authorization server. Available 'authorization_server' values are ${authorizationServers.join(", ")}.`
+        `Credential configuration with id '${credentialConfigurationId}' not found in metadata from credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
       );
     }
-  } else if (!authorizationServers) {
-    authorizationServer = options.issuerMetadata.credentialIssuer.credential_issuer;
-  } else {
-    if (authorizationServers.length === 0) {
-      throw new Oauth2Error3(`Credential issuer metadata has 'authorization_servers' value with length of 0`);
-    }
-    if (authorizationServers.length > 1) {
+    const scope = credentialConfiguration.scope;
+    if (scope) scopes.add(scope);
+    else if (!scope && options.throwOnConfigurationWithoutScope) {
       throw new Oauth2Error3(
-        `Credential issuer metadata has 'authorization_server' with multiple entries, but the credential offer grant did not specify which authorization server to use.`
+        `Credential configuration with id '${credentialConfigurationId}' does not have a 'scope' configured, and 'throwOnConfigurationWithoutScope' was enabled.`
       );
     }
-    authorizationServer = authorizationServers[0];
   }
-  return authorizationServer;
+  return scopes.size > 0 ? Array.from(scopes) : void 0;
 }
-async function createCredentialOffer(options) {
-  const {
-    [preAuthorizedCodeGrantIdentifier2]: preAuthorizedCodeGrant,
-    [authorizationCodeGrantIdentifier]: authorizationCodeGrant,
-    ...restGrants
-  } = options.grants;
-  const grants = { ...restGrants };
-  if (authorizationCodeGrant) {
-    determineAuthorizationServerForCredentialOffer({
-      issuerMetadata: options.issuerMetadata,
-      grantAuthorizationServer: authorizationCodeGrant.authorization_server
-    });
-    grants[authorizationCodeGrantIdentifier] = authorizationCodeGrant;
-  }
-  if (preAuthorizedCodeGrant) {
-    determineAuthorizationServerForCredentialOffer({
-      issuerMetadata: options.issuerMetadata,
-      grantAuthorizationServer: preAuthorizedCodeGrant.authorization_server
-    });
-    grants[preAuthorizedCodeGrantIdentifier2] = {
-      ...preAuthorizedCodeGrant,
-      "pre-authorized_code": preAuthorizedCodeGrant["pre-authorized_code"] ?? encodeToBase64Url(await options.callbacks.generateRandom(32))
-    };
-    const txCode = grants[preAuthorizedCodeGrantIdentifier2].tx_code;
-    if (txCode && options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
-      grants[preAuthorizedCodeGrantIdentifier2].user_pin_required = txCode !== void 0;
+function credentialsSupportedToCredentialConfigurationsSupported(credentialsSupported) {
+  const credentialConfigurationsSupported = {};
+  for (let index = 0; index < credentialsSupported.length; index++) {
+    const credentialSupported = credentialsSupported[index];
+    if (!credentialSupported.id) {
+      throw new Openid4vciError(
+        `Credential supported at index '${index}' does not have an 'id' property. Credential configuration requires the 'id' property as key`
+      );
     }
+    const parseResult = zCredentialConfigurationSupportedDraft11To14.safeParse(credentialSupported);
+    if (!parseResult.success) {
+      throw new ValidationError2(
+        `Error transforming credential supported with id '${credentialSupported.id}' to credential configuration supported format`,
+        parseResult.error
+      );
+    }
+    credentialConfigurationsSupported[credentialSupported.id] = parseResult.data;
   }
-  const idsNotInMetadata = options.credentialConfigurationIds.filter(
-    (id) => options.issuerMetadata.credentialIssuer.credential_configurations_supported[id] === void 0
-  );
-  if (idsNotInMetadata.length > 0) {
-    throw new Oauth2Error3(
-      `Credential configuration ids ${idsNotInMetadata} not found in the credential issuer metadata 'credential_configurations_supported'. Available ids are ${Object.keys(options.issuerMetadata.credentialIssuer.credential_configurations_supported).join(", ")}.`
-    );
-  }
-  const credentialOfferScheme = options.credentialOfferScheme ?? "openid-credential-offer://";
-  const credentialOfferObject = parseWithErrorHandling(zCredentialOfferObject, {
-    credential_issuer: options.issuerMetadata.credentialIssuer.credential_issuer,
-    credential_configuration_ids: options.credentialConfigurationIds,
-    grants,
-    ...options.additionalPayload
-  });
-  if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
-    credentialOfferObject.credentials = credentialOfferObject.credential_configuration_ids;
-  }
-  const url = new URL(credentialOfferScheme);
-  url.search = `?${new URLSearchParams([
-    ...url.searchParams.entries(),
-    ...objectToQueryParams({
-      credential_offer_uri: options.credentialOfferUri,
-      // Only add credential_offer is uri is undefined
-      credential_offer: options.credentialOfferUri ? void 0 : credentialOfferObject
-    }).entries()
-  ]).toString()}`;
-  return {
-    credentialOffer: url.toString(),
-    credentialOfferObject
-  };
+  return credentialConfigurationsSupported;
 }
 
+// src/Openid4vciClient.ts
+import {
+  Oauth2Client,
+  Oauth2ClientAuthorizationChallengeError,
+  Oauth2Error as Oauth2Error7,
+  Oauth2ErrorCodes as Oauth2ErrorCodes2,
+  authorizationCodeGrantIdentifier as authorizationCodeGrantIdentifier2,
+  getAuthorizationServerMetadataFromList as getAuthorizationServerMetadataFromList2,
+  preAuthorizedCodeGrantIdentifier as preAuthorizedCodeGrantIdentifier3
+} from "@openid4vc/oauth2";
+
 // src/credential-request/format-payload.ts
 import { zIs } from "@openid4vc/utils";
 function getCredentialRequestFormatPayloadForCredentialConfigurationId(options) {
-  const credentialConfiguration = options.issuerMetadata.credentialIssuer.credential_configurations_supported[options.credentialConfigurationId];
-  if (!credentialConfiguration) {
-    throw new Openid4vciError(
-      `Could not find credential configuration with id '${options.credentialConfigurationId}' in metadata of credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'.`
-    );
-  }
-  if (zIs(zSdJwtVcCredentialIssuerMetadata, credentialConfiguration)) {
+  const credentialConfiguration = getCredentialConfigurationSupportedById(
+    options.issuerMetadata.credentialIssuer.credential_configurations_supported,
+    options.credentialConfigurationId
+  );
+  if (zIs(zSdJwtVcCredentialIssuerMetadataDraft14, credentialConfiguration)) {
     return {
       format: credentialConfiguration.format,
       vct: credentialConfiguration.vct
     };
   }
-  if (zIs(zMsoMdocCredentialIssuerMetadata, credentialConfiguration)) {
+  if (zIs(zMsoMdocCredentialIssuerMetadata, credentialConfiguration) || zIs(zMsoMdocCredentialIssuerMetadataDraft14, credentialConfiguration)) {
     return {
       format: credentialConfiguration.format,
       doctype: credentialConfiguration.doctype
     };
   }
-  if (zIs(zLdpVcCredentialIssuerMetadata, credentialConfiguration)) {
+  if (zIs(zLdpVcCredentialIssuerMetadata, credentialConfiguration) || zIs(zLdpVcCredentialIssuerMetadataDraft14, credentialConfiguration)) {
     return {
       format: credentialConfiguration.format,
       credential_definition: {
@@ -923,7 +1075,7 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
       }
     };
   }
-  if (zIs(zJwtVcJsonLdCredentialIssuerMetadata, credentialConfiguration)) {
+  if (zIs(zJwtVcJsonLdCredentialIssuerMetadata, credentialConfiguration) || zIs(zJwtVcJsonLdCredentialIssuerMetadataDraft14, credentialConfiguration)) {
     return {
       format: credentialConfiguration.format,
       credential_definition: {
@@ -932,7 +1084,7 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
       }
     };
   }
-  if (zIs(zJwtVcJsonCredentialIssuerMetadata, credentialConfiguration)) {
+  if (zIs(zJwtVcJsonCredentialIssuerMetadata, credentialConfiguration) || zIs(zJwtVcJsonCredentialIssuerMetadataDraft14, credentialConfiguration)) {
     return {
       format: credentialConfiguration.format,
       credential_definition: {
@@ -940,6 +1092,11 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
       }
     };
   }
+  if (zIs(zSdJwtDcCredentialIssuerMetadata, credentialConfiguration)) {
+    throw new Openid4vciError(
+      `Credential configuration id '${options.credentialConfigurationId}' with format ${zSdJwtVcFormatIdentifier.value} does not support credential request based on 'format'. Use 'credential_configuration_id' directly.`
+    );
+  }
   throw new Openid4vciError(
     `Unknown format '${credentialConfiguration.format}' in credential configuration with id '${options.credentialConfigurationId}' for credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
   );
@@ -950,36 +1107,36 @@ import {
   Oauth2Error as Oauth2Error4,
   resourceRequest
 } from "@openid4vc/oauth2";
-import { ContentType as ContentType2, isResponseContentType, parseWithErrorHandling as parseWithErrorHandling2 } from "@openid4vc/utils";
+import { ContentType as ContentType2, isResponseContentType, parseWithErrorHandling as parseWithErrorHandling3 } from "@openid4vc/utils";
 
 // src/credential-request/z-credential-request.ts
-import z14 from "zod";
+import z16 from "zod";
 
 // src/credential-request/z-credential-request-common.ts
 import { zJwk as zJwk2 } from "@openid4vc/oauth2";
-import z13 from "zod";
+import z15 from "zod";
 
 // src/formats/proof-type/jwt/z-jwt-proof-type.ts
 import { zCompactJwt as zCompactJwt2, zJwtHeader as zJwtHeader2, zJwtPayload as zJwtPayload2 } from "@openid4vc/oauth2";
 import { zHttpsUrl as zHttpsUrl3, zInteger as zInteger2 } from "@openid4vc/utils";
-import z11 from "zod";
-var zJwtProofTypeIdentifier = z11.literal("jwt");
+import z13 from "zod";
+var zJwtProofTypeIdentifier = z13.literal("jwt");
 var jwtProofTypeIdentifier = zJwtProofTypeIdentifier.value;
-var zCredentialRequestProofJwt = z11.object({
+var zCredentialRequestProofJwt = z13.object({
   proof_type: zJwtProofTypeIdentifier,
   jwt: zCompactJwt2
 });
 var zCredentialRequestJwtProofTypeHeader = zJwtHeader2.merge(
-  z11.object({
-    key_attestation: z11.optional(zCompactJwt2),
-    typ: z11.literal("openid4vci-proof+jwt")
+  z13.object({
+    key_attestation: z13.optional(zCompactJwt2),
+    typ: z13.literal("openid4vci-proof+jwt")
   })
 ).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
   message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
 }).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
   message: `When 'trust_chain' is provided, 'kid' is required`
 });
-var zCredentialRequestJwtProofTypePayload = z11.object({
+var zCredentialRequestJwtProofTypePayload = z13.object({
   ...zJwtPayload2.shape,
   aud: zHttpsUrl3,
   iat: zInteger2
@@ -987,40 +1144,40 @@ var zCredentialRequestJwtProofTypePayload = z11.object({
 
 // src/formats/proof-type/attestation/z-attestation-proof-type.ts
 import { zCompactJwt as zCompactJwt3 } from "@openid4vc/oauth2";
-import z12 from "zod";
-var zAttestationProofTypeIdentifier = z12.literal("attestation");
+import z14 from "zod";
+var zAttestationProofTypeIdentifier = z14.literal("attestation");
 var attestationProofTypeIdentifier = zAttestationProofTypeIdentifier.value;
-var zCredentialRequestProofAttestation = z12.object({
+var zCredentialRequestProofAttestation = z14.object({
   proof_type: zAttestationProofTypeIdentifier,
   attestation: zCompactJwt3
 });
 var zCredentialRequestAttestationProofTypePayload = zKeyAttestationJwtPayloadForUse("proof_type.attestation");
 
 // src/credential-request/z-credential-request-common.ts
-var zCredentialRequestProofCommon = z13.object({
-  proof_type: z13.string()
+var zCredentialRequestProofCommon = z15.object({
+  proof_type: z15.string()
 }).passthrough();
 var allCredentialRequestProofs = [zCredentialRequestProofJwt, zCredentialRequestProofAttestation];
-var zCredentialRequestProof = z13.union([
+var zCredentialRequestProof = z15.union([
   zCredentialRequestProofCommon,
-  z13.discriminatedUnion("proof_type", allCredentialRequestProofs)
+  z15.discriminatedUnion("proof_type", allCredentialRequestProofs)
 ]);
-var zCredentialRequestProofsCommon = z13.record(z13.string(), z13.array(z13.unknown()));
-var zCredentialRequestProofs = z13.object({
-  [zJwtProofTypeIdentifier.value]: z13.optional(z13.array(zCredentialRequestProofJwt.shape.jwt)),
-  [zAttestationProofTypeIdentifier.value]: z13.optional(z13.array(zCredentialRequestProofAttestation.shape.attestation))
+var zCredentialRequestProofsCommon = z15.record(z15.string(), z15.array(z15.unknown()));
+var zCredentialRequestProofs = z15.object({
+  [zJwtProofTypeIdentifier.value]: z15.optional(z15.array(zCredentialRequestProofJwt.shape.jwt)),
+  [zAttestationProofTypeIdentifier.value]: z15.optional(z15.array(zCredentialRequestProofAttestation.shape.attestation))
 });
-var zCredentialRequestCommon = z13.object({
+var zCredentialRequestCommon = z15.object({
   proof: zCredentialRequestProof.optional(),
-  proofs: z13.optional(
-    z13.intersection(zCredentialRequestProofsCommon, zCredentialRequestProofs).refine((proofs) => Object.values(proofs).length === 1, {
+  proofs: z15.optional(
+    z15.intersection(zCredentialRequestProofsCommon, zCredentialRequestProofs).refine((proofs) => Object.values(proofs).length === 1, {
       message: `The 'proofs' object in a credential request should contain exactly one attribute`
     })
   ),
-  credential_response_encryption: z13.object({
+  credential_response_encryption: z15.object({
     jwk: zJwk2,
-    alg: z13.string(),
-    enc: z13.string()
+    alg: z15.string(),
+    enc: z15.string()
   }).passthrough().optional()
 }).passthrough().refine(({ proof, proofs }) => !(proof !== void 0 && proofs !== void 0), {
   message: `Both 'proof' and 'proofs' are defined. Only one is allowed`
@@ -1028,40 +1185,54 @@ var zCredentialRequestCommon = z13.object({
 
 // src/credential-request/z-credential-request.ts
 var allCredentialRequestFormats = [
-  zSdJwtVcCredentialRequestFormat,
-  zMsoMdocCredentialRequestFormat,
-  zLdpVcCredentialRequestFormat,
-  zJwtVcJsonLdCredentialRequestFormat,
-  zJwtVcJsonCredentialRequestFormat
+  zSdJwtVcCredentialRequestFormatDraft14,
+  zMsoMdocCredentialRequestFormatDraft14,
+  zLdpVcCredentialRequestFormatDraft14,
+  zJwtVcJsonLdCredentialRequestFormatDraft14,
+  zJwtVcJsonCredentialRequestFormatDraft14
 ];
 var allCredentialRequestFormatIdentifiers = allCredentialRequestFormats.map(
   (format) => format.shape.format.value
 );
-var zAuthorizationDetailsCredentialRequest = z14.object({
-  credential_identifier: z14.string(),
+var zCredentialRequestCredentialConfigurationId = z16.object({
+  credential_configuration_id: z16.string(),
+  format: z16.never({ message: "'format' cannot be defined when 'credential_configuration_id' is set." }).optional(),
+  credential_identifier: z16.never({ message: "'credential_identifier' cannot be defined when 'credential_configuration_id' is set." }).optional()
+});
+var zAuthorizationDetailsCredentialRequest = z16.object({
+  credential_identifier: z16.string(),
+  credential_configuration_id: z16.never({ message: "'credential_configuration_id' cannot be defined when 'credential_identifier' is set." }).optional(),
   // Cannot be present if credential identifier is present
-  format: z14.never({ message: "'format' cannot be defined when 'credential_identifier' is set." }).optional()
+  format: z16.never({ message: "'format' cannot be defined when 'credential_identifier' is set." }).optional()
 });
-var zCredentialRequestFormatNoCredentialIdentifier = z14.object({
-  format: z14.string(),
-  credential_identifier: z14.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional()
+var zCredentialRequestFormat = z16.object({
+  format: z16.string(),
+  credential_identifier: z16.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional(),
+  credential_configuration_id: z16.never({ message: "'credential_configuration_id' cannot be defined when 'format' is set." }).optional()
 }).passthrough();
-var zCredenialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormatNoCredentialIdentifier).transform((data, ctx) => {
-  if (!allCredentialRequestFormatIdentifiers.includes(data.format)) return data;
-  const result = z14.object({}).passthrough().and(z14.discriminatedUnion("format", allCredentialRequestFormats)).safeParse(data);
+var zCredenialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
+  if (!allCredentialRequestFormatIdentifiers.includes(
+    data.format
+  ))
+    return data;
+  const result = z16.object({}).passthrough().and(z16.discriminatedUnion("format", allCredentialRequestFormats)).safeParse(data);
   if (result.success) {
     return result.data;
   }
   for (const issue of result.error.issues) {
     ctx.addIssue(issue);
   }
-  return z14.NEVER;
+  return z16.NEVER;
 });
-var zCredentialRequestDraft14 = z14.union([
+var zCredentialRequestDraft15 = z16.union([
+  zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest),
+  zCredentialRequestCommon.and(zCredentialRequestCredentialConfigurationId)
+]);
+var zCredentialRequestDraft14 = z16.union([
   zCredenialRequestDraft14WithFormat,
   zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest)
 ]);
-var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequestFormatNoCredentialIdentifier).transform((data, ctx) => {
+var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
   const formatSpecificTransformations = {
     [zLdpVcFormatIdentifier.value]: zLdpVcCredentialRequestDraft11To14,
     [zJwtVcJsonFormatIdentifier.value]: zJwtVcJsonCredentialRequestDraft11To14,
@@ -1074,7 +1245,7 @@ var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequ
   for (const issue of result.error.issues) {
     ctx.addIssue(issue);
   }
-  return z14.NEVER;
+  return z16.NEVER;
 }).pipe(zCredentialRequestDraft14);
 var zCredentialRequestDraft14To11 = zCredentialRequestDraft14.refine(
   (data) => data.credential_identifier === void 0,
@@ -1092,15 +1263,19 @@ var zCredentialRequestDraft14To11 = zCredentialRequestDraft14.refine(
   for (const issue of result.error.issues) {
     ctx.addIssue(issue);
   }
-  return z14.NEVER;
+  return z16.NEVER;
 });
-var zCredentialRequest = z14.union([zCredentialRequestDraft14, zCredentialRequestDraft11To14]);
+var zCredentialRequest = z16.union([
+  zCredentialRequestDraft15,
+  zCredentialRequestDraft14,
+  zCredentialRequestDraft11To14
+]);
 
 // src/credential-request/z-credential-response.ts
-import z16 from "zod";
+import z18 from "zod";
 
 // ../oauth2/src/common/z-oauth2-error.ts
-import z15 from "zod";
+import z17 from "zod";
 var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes4) => {
   Oauth2ErrorCodes4["ServerError"] = "server_error";
   Oauth2ErrorCodes4["InvalidTarget"] = "invalid_target";
@@ -1137,21 +1312,21 @@ var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes4) => {
   Oauth2ErrorCodes4["WalletUnavailable"] = "wallet_unavailable";
   return Oauth2ErrorCodes4;
 })(Oauth2ErrorCodes || {});
-var zOauth2ErrorResponse = z15.object({
-  error: z15.union([z15.nativeEnum(Oauth2ErrorCodes), z15.string()]),
-  error_description: z15.string().optional(),
-  error_uri: z15.string().optional()
+var zOauth2ErrorResponse = z17.object({
+  error: z17.union([z17.nativeEnum(Oauth2ErrorCodes), z17.string()]),
+  error_description: z17.string().optional(),
+  error_uri: z17.string().optional()
 }).passthrough();
 
 // src/credential-request/z-credential-response.ts
-var zCredentialEncoding = z16.union([z16.string(), z16.record(z16.string(), z16.any())]);
-var zCredentialResponse = z16.object({
-  credential: z16.optional(zCredentialEncoding),
-  credentials: z16.optional(z16.array(zCredentialEncoding)),
-  transaction_id: z16.string().optional(),
-  c_nonce: z16.string().optional(),
-  c_nonce_expires_in: z16.number().int().optional(),
-  notification_id: z16.string().optional()
+var zCredentialEncoding = z18.union([z18.string(), z18.record(z18.string(), z18.any())]);
+var zCredentialResponse = z18.object({
+  credential: z18.optional(zCredentialEncoding),
+  credentials: z18.optional(z18.array(zCredentialEncoding)),
+  transaction_id: z18.string().optional(),
+  c_nonce: z18.string().optional(),
+  c_nonce_expires_in: z18.number().int().optional(),
+  notification_id: z18.string().optional()
 }).passthrough().refine(
   (value) => {
     const { credential, credentials, transaction_id } = value;
@@ -1161,14 +1336,43 @@ var zCredentialResponse = z16.object({
     message: `Exactly one of 'credential', 'credentials', or 'transaction_id' MUST be defined.`
   }
 );
-var zCredentialErrorResponse = z16.object({
+var zCredentialErrorResponse = z18.object({
   ...zOauth2ErrorResponse.shape,
-  c_nonce: z16.string().optional(),
-  c_nonce_expires_in: z16.number().int().optional()
+  c_nonce: z18.string().optional(),
+  c_nonce_expires_in: z18.number().int().optional()
 }).passthrough();
 
 // src/credential-request/retrieve-credentials.ts
+async function retrieveCredentialsWithCredentialConfigurationId(options) {
+  if (options.issuerMetadata.originalDraftVersion !== "Draft15" /* Draft15 */) {
+    throw new Openid4vciError(
+      "Requesting credentials based on format is not supported in OpenID4VCI below draft 15. Make sure to provide the format and format specific claims in the request."
+    );
+  }
+  getCredentialConfigurationSupportedById(
+    options.issuerMetadata.credentialIssuer.credential_configurations_supported,
+    options.credentialConfigurationId
+  );
+  const credentialRequest = {
+    ...options.additionalRequestPayload,
+    credential_configuration_id: options.credentialConfigurationId,
+    proof: options.proof,
+    proofs: options.proofs
+  };
+  return retrieveCredentials({
+    callbacks: options.callbacks,
+    credentialRequest,
+    issuerMetadata: options.issuerMetadata,
+    accessToken: options.accessToken,
+    dpop: options.dpop
+  });
+}
 async function retrieveCredentialsWithFormat(options) {
+  if (options.issuerMetadata.originalDraftVersion === "Draft15" /* Draft15 */) {
+    throw new Openid4vciError(
+      "Requesting credentials based on format is not supported in OpenID4VCI draft 15. Provide the credential configuration id directly in the request."
+    );
+  }
   const credentialRequest = {
     ...options.formatPayload,
     ...options.additionalRequestPayload,
@@ -1185,7 +1389,7 @@ async function retrieveCredentialsWithFormat(options) {
 }
 async function retrieveCredentials(options) {
   const credentialEndpoint = options.issuerMetadata.credentialIssuer.credential_endpoint;
-  let credentialRequest = parseWithErrorHandling2(
+  let credentialRequest = parseWithErrorHandling3(
     zCredentialRequest,
     options.credentialRequest,
     "Error validating credential request"
@@ -1205,7 +1409,7 @@ async function retrieveCredentials(options) {
     }
   }
   if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
-    credentialRequest = parseWithErrorHandling2(
+    credentialRequest = parseWithErrorHandling3(
       zCredentialRequestDraft14To11,
       credentialRequest,
       `Error transforming credential request from ${"Draft14" /* Draft14 */} to ${"Draft11" /* Draft11 */}`
@@ -1249,39 +1453,6 @@ async function retrieveCredentials(options) {
 import { decodeJwt as decodeJwt2, isJwkInSet, jwtHeaderFromJwtSigner as jwtHeaderFromJwtSigner2 } from "@openid4vc/oauth2";
 import { jwtSignerFromJwt as jwtSignerFromJwt2, verifyJwt as verifyJwt2 } from "@openid4vc/oauth2";
 import { dateToSeconds as dateToSeconds2, parseWithErrorHandling as parseWithErrorHandling4 } from "@openid4vc/utils";
-
-// src/key-attestation/key-attestation.ts
-import { decodeJwt, jwtHeaderFromJwtSigner } from "@openid4vc/oauth2";
-import { jwtSignerFromJwt, verifyJwt } from "@openid4vc/oauth2";
-import { dateToSeconds, parseWithErrorHandling as parseWithErrorHandling3 } from "@openid4vc/utils";
-async function verifyKeyAttestationJwt(options) {
-  const { header, payload } = decodeJwt({
-    jwt: options.keyAttestationJwt,
-    headerSchema: zKeyAttestationJwtHeader,
-    payloadSchema: zKeyAttestationJwtPayloadForUse(options.use)
-  });
-  const now = options.now?.getTime() ?? Date.now();
-  if (options.nonceExpiresAt && now > options.nonceExpiresAt.getTime()) {
-    throw new Openid4vciError("Nonce used for key attestation jwt expired");
-  }
-  const { signer } = await verifyJwt({
-    compact: options.keyAttestationJwt,
-    header,
-    payload,
-    signer: jwtSignerFromJwt({ header, payload }),
-    verifyJwtCallback: options.callbacks.verifyJwt,
-    errorMessage: "Error verifiying key attestation jwt",
-    expectedNonce: options.expectedNonce,
-    now: options.now
-  });
-  return {
-    header,
-    payload,
-    signer
-  };
-}
-
-// src/formats/proof-type/jwt/jwt-proof-type.ts
 async function createCredentialRequestJwtProof(options) {
   const header = parseWithErrorHandling4(zCredentialRequestJwtProofTypeHeader, {
     ...jwtHeaderFromJwtSigner2(options.signer),
@@ -1413,10 +1584,10 @@ import { ContentType as ContentType3, ValidationError as ValidationError3, creat
 
 // src/nonce/z-nonce.ts
 import { zInteger as zInteger3 } from "@openid4vc/utils";
-import z17 from "zod";
-var zNonceResponse = z17.object({
-  c_nonce: z17.string(),
-  c_nonce_expires_in: z17.optional(zInteger3)
+import z19 from "zod";
+var zNonceResponse = z19.object({
+  c_nonce: z19.string(),
+  c_nonce_expires_in: z19.optional(zInteger3)
 }).passthrough();
 
 // src/nonce/nonce-request.ts
@@ -1459,15 +1630,15 @@ import {
 import { ContentType as ContentType4, isResponseContentType as isResponseContentType2, parseWithErrorHandling as parseWithErrorHandling7 } from "@openid4vc/utils";
 
 // src/notification/z-notification.ts
-import z18 from "zod";
-var zNotificationEvent = z18.enum(["credential_accepted", "credential_failure", "credential_deleted"]);
-var zNotificationRequest = z18.object({
-  notification_id: z18.string(),
+import z20 from "zod";
+var zNotificationEvent = z20.enum(["credential_accepted", "credential_failure", "credential_deleted"]);
+var zNotificationRequest = z20.object({
+  notification_id: z20.string(),
   event: zNotificationEvent,
-  event_description: z18.optional(z18.string())
+  event_description: z20.optional(z20.string())
 }).passthrough();
-var zNotificationErrorResponse = z18.object({
-  error: z18.enum(["invalid_notification_id", "invalid_notification_request"])
+var zNotificationErrorResponse = z20.object({
+  error: z20.enum(["invalid_notification_id", "invalid_notification_request"])
 }).passthrough();
 
 // src/notification/notification.ts
@@ -1610,7 +1781,6 @@ var Openid4vciClient = class {
           issuer_state: options.credentialOffer?.grants?.authorization_code?.issuer_state
         },
         dpop: options.dpop,
-        clientAttestation: options.clientAttestation,
         resource: options.issuerMetadata.credentialIssuer.credential_issuer,
         authorizationServerMetadata
       });
@@ -1664,7 +1834,6 @@ var Openid4vciClient = class {
       redirectUri: options.redirectUri,
       scope: options.scope,
       pkceCodeVerifier: options.pkceCodeVerifier,
-      clientAttestation: options.clientAttestation,
       dpop: options.dpop
     });
     return {
@@ -1683,8 +1852,7 @@ var Openid4vciClient = class {
     issuerMetadata,
     additionalRequestPayload,
     txCode,
-    dpop,
-    clientAttestation
+    dpop
   }) {
     if (!credentialOffer.grants?.[preAuthorizedCodeGrantIdentifier3]) {
       throw new Oauth2Error7(`The credential offer does not contain the '${preAuthorizedCodeGrantIdentifier3}' grant.`);
@@ -1709,8 +1877,7 @@ var Openid4vciClient = class {
       txCode,
       resource: issuerMetadata.credentialIssuer.credential_issuer,
       additionalRequestPayload,
-      dpop,
-      clientAttestation
+      dpop
     });
     return {
       ...result,
@@ -1728,8 +1895,7 @@ var Openid4vciClient = class {
     authorizationCode,
     pkceCodeVerifier,
     redirectUri,
-    dpop,
-    clientAttestation
+    dpop
   }) {
     if (!credentialOffer.grants?.[authorizationCodeGrantIdentifier2]) {
       throw new Oauth2Error7(`The credential offer does not contain the '${authorizationCodeGrantIdentifier2}' grant.`);
@@ -1748,7 +1914,6 @@ var Openid4vciClient = class {
       pkceCodeVerifier,
       additionalRequestPayload,
       dpop,
-      clientAttestation,
       redirectUri,
       resource: issuerMetadata.credentialIssuer.credential_issuer
     });
@@ -1826,20 +1991,34 @@ var Openid4vciClient = class {
     accessToken,
     dpop
   }) {
-    const formatPayload = getCredentialRequestFormatPayloadForCredentialConfigurationId({
-      credentialConfigurationId,
-      issuerMetadata
-    });
-    const credentialResponse = await retrieveCredentialsWithFormat({
-      accessToken,
-      formatPayload,
-      issuerMetadata,
-      additionalRequestPayload,
-      proof,
-      proofs,
-      callbacks: this.options.callbacks,
-      dpop
-    });
+    let credentialResponse;
+    if (issuerMetadata.originalDraftVersion === "Draft15" /* Draft15 */) {
+      credentialResponse = await retrieveCredentialsWithCredentialConfigurationId({
+        accessToken,
+        credentialConfigurationId,
+        issuerMetadata,
+        additionalRequestPayload,
+        proof,
+        proofs,
+        callbacks: this.options.callbacks,
+        dpop
+      });
+    } else {
+      const formatPayload = getCredentialRequestFormatPayloadForCredentialConfigurationId({
+        credentialConfigurationId,
+        issuerMetadata
+      });
+      credentialResponse = await retrieveCredentialsWithFormat({
+        accessToken,
+        formatPayload,
+        issuerMetadata,
+        additionalRequestPayload,
+        proof,
+        proofs,
+        callbacks: this.options.callbacks,
+        dpop
+      });
+    }
     if (!credentialResponse.ok) {
       throw new Openid4vciRetrieveCredentialsError(
         `Error retrieving credentials from '${issuerMetadata.credentialIssuer.credential_issuer}'`,
@@ -1880,6 +2059,7 @@ var Openid4vciClient = class {
 
 // src/Openid4vciIssuer.ts
 import {
+  Oauth2AuthorizationServer,
   Oauth2ErrorCodes as Oauth2ErrorCodes3,
   Oauth2JwtVerificationError,
   Oauth2ServerErrorResponseError
@@ -1905,7 +2085,7 @@ function createCredentialResponse(options) {
 
 // src/credential-request/parse-credential-request.ts
 import { parseWithErrorHandling as parseWithErrorHandling9 } from "@openid4vc/utils";
-import z19 from "zod";
+import z21 from "zod";
 function parseCredentialRequest(options) {
   const credentialRequest = parseWithErrorHandling9(
     zCredentialRequest,
@@ -1917,12 +2097,27 @@ function parseCredentialRequest(options) {
   if (knownProofs.success) {
     proofs = knownProofs.data;
   }
-  const knownProof = z19.union(allCredentialRequestProofs).safeParse(credentialRequest.proof);
+  const knownProof = z21.union(allCredentialRequestProofs).safeParse(credentialRequest.proof);
   if (knownProof.success && knownProof.data.proof_type === jwtProofTypeIdentifier) {
     proofs = { [jwtProofTypeIdentifier]: [knownProof.data.jwt] };
   } else if (knownProof.success && knownProof.data.proof_type === attestationProofTypeIdentifier) {
     proofs = { [attestationProofTypeIdentifier]: [knownProof.data.attestation] };
   }
+  if (credentialRequest.credential_configuration_id) {
+    getCredentialConfigurationSupportedById(
+      options.issuerMetadata.credentialIssuer.credential_configurations_supported,
+      credentialRequest.credential_configuration_id
+    );
+    const credentialConfigurations = extractKnownCredentialConfigurationSupportedFormats(
+      options.issuerMetadata.credentialIssuer.credential_configurations_supported
+    );
+    return {
+      credentialConfiguration: credentialConfigurations[credentialRequest.credential_configuration_id],
+      credentialConfigurationId: credentialRequest.credential_configuration_id,
+      credentialRequest,
+      proofs
+    };
+  }
   if (credentialRequest.credential_identifier) {
     return {
       credentialIdentifier: credentialRequest.credential_identifier,
@@ -1930,11 +2125,13 @@ function parseCredentialRequest(options) {
       proofs
     };
   }
-  if (credentialRequest.format && allCredentialRequestFormatIdentifiers.includes(credentialRequest.format)) {
+  if (credentialRequest.format && allCredentialRequestFormatIdentifiers.includes(
+    credentialRequest.format
+  )) {
     return {
       // Removes all claims that are not specific to this format
       format: parseWithErrorHandling9(
-        z19.union(allCredentialRequestFormats),
+        z21.union(allCredentialRequestFormats),
         credentialRequest,
         "Unable to validate format specific properties from credential request"
       ),
@@ -2086,6 +2283,42 @@ var Openid4vciIssuer = class {
   createNonceResponse(options) {
     return createNonceResponse(options);
   }
+  async verifyWalletAttestation(options) {
+    return new Oauth2AuthorizationServer({
+      callbacks: this.options.callbacks
+    }).verifyClientAttestation(options);
+  }
+};
+
+// src/Openid4vciWalletProvider.ts
+import {
+  createClientAttestationJwt
+} from "@openid4vc/oauth2";
+var Openid4vciWalletProvider = class {
+  constructor(options) {
+    this.options = options;
+  }
+  async createWalletAttestationJwt(options) {
+    const additionalPayload = options.additionalPayload ? {
+      wallet_name: options.walletName,
+      wallet_link: options.walletLink,
+      ...options.additionalPayload
+    } : {
+      wallet_name: options.walletName,
+      wallet_link: options.walletLink
+    };
+    return await createClientAttestationJwt({
+      ...options,
+      callbacks: this.options.callbacks,
+      additionalPayload
+    });
+  }
+  async createKeyAttestationJwt(options) {
+    return await createKeyAttestationJwt({
+      callbacks: this.options.callbacks,
+      ...options
+    });
+  }
 };
 export {
   AuthorizationFlow,
@@ -2095,10 +2328,15 @@ export {
   Openid4vciIssuer,
   Openid4vciRetrieveCredentialsError,
   Openid4vciSendNotificationError,
+  Openid4vciWalletProvider,
+  createKeyAttestationJwt,
   credentialsSupportedToCredentialConfigurationsSupported,
+  determineAuthorizationServerForCredentialOffer,
   extractScopesForCredentialConfigurationIds,
   getCredentialConfigurationsMatchingRequestFormat,
   getGlobalConfig,
-  setGlobalConfig
+  parseKeyAttestationJwt,
+  setGlobalConfig,
+  verifyKeyAttestationJwt
 };
 //# sourceMappingURL=index.mjs.map