@openid4vc/openid4vci 0.3.0-alpha-20250325212250 → 0.3.0-alpha-20250328113308

package/dist/index.mjs

@@ -1,3 +1,231 @@
+// src/credential-offer/credential-offer.ts
+import {
+  InvalidFetchResponseError,
+  Oauth2Error,
+  authorizationCodeGrantIdentifier,
+  getAuthorizationServerMetadataFromList,
+  preAuthorizedCodeGrantIdentifier as preAuthorizedCodeGrantIdentifier2
+} from "@openid4vc/oauth2";
+import {
+  ContentType,
+  URL,
+  URLSearchParams,
+  ValidationError,
+  createZodFetcher,
+  encodeToBase64Url,
+  getQueryParams,
+  objectToQueryParams,
+  parseWithErrorHandling
+} from "@openid4vc/utils";
+
+// src/version.ts
+var Openid4vciDraftVersion = /* @__PURE__ */ ((Openid4vciDraftVersion2) => {
+  Openid4vciDraftVersion2["Draft15"] = "Draft15";
+  Openid4vciDraftVersion2["Draft14"] = "Draft14";
+  Openid4vciDraftVersion2["Draft11"] = "Draft11";
+  return Openid4vciDraftVersion2;
+})(Openid4vciDraftVersion || {});
+
+// src/credential-offer/z-credential-offer.ts
+import {
+  preAuthorizedCodeGrantIdentifier
+} from "@openid4vc/oauth2";
+import { zHttpsUrl } from "@openid4vc/utils";
+import z from "zod";
+var zTxCode = z.object({
+  input_mode: z.union([z.literal("numeric"), z.literal("text")]).optional(),
+  length: z.number().int().optional(),
+  description: z.string().max(300).optional()
+}).passthrough();
+var zCredentialOfferGrants = z.object({
+  authorization_code: z.object({
+    issuer_state: z.string().optional(),
+    authorization_server: zHttpsUrl.optional()
+  }).passthrough().optional(),
+  [preAuthorizedCodeGrantIdentifier]: z.object({
+    "pre-authorized_code": z.string(),
+    tx_code: zTxCode.optional(),
+    authorization_server: zHttpsUrl.optional()
+  }).passthrough().optional()
+}).passthrough();
+var zCredentialOfferObjectDraft14 = z.object({
+  credential_issuer: zHttpsUrl,
+  credential_configuration_ids: z.array(z.string()),
+  grants: z.optional(zCredentialOfferGrants)
+}).passthrough();
+var zCredentialOfferObjectDraft11To14 = z.object({
+  credential_issuer: zHttpsUrl,
+  // We don't support the inline offer objects from draft 11
+  credentials: z.array(
+    z.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })
+  ),
+  grants: z.optional(
+    z.object({
+      // Has extra param in draft 14, but doesn't matter for transform purposes
+      authorization_code: zCredentialOfferGrants.shape.authorization_code,
+      [preAuthorizedCodeGrantIdentifier]: z.object({
+        "pre-authorized_code": z.string(),
+        user_pin_required: z.optional(z.boolean())
+      }).passthrough().optional()
+    })
+  )
+}).passthrough().transform(({ credentials, grants, ...rest }) => {
+  const v14 = {
+    ...rest,
+    credential_configuration_ids: credentials
+  };
+  if (grants) {
+    v14.grants = { ...grants };
+    if (grants[preAuthorizedCodeGrantIdentifier]) {
+      const { user_pin_required, ...restGrants } = grants[preAuthorizedCodeGrantIdentifier];
+      v14.grants[preAuthorizedCodeGrantIdentifier] = {
+        ...restGrants
+      };
+      if (user_pin_required) {
+        v14.grants[preAuthorizedCodeGrantIdentifier].tx_code = {
+          input_mode: "text"
+        };
+      }
+    }
+  }
+  return v14;
+}).pipe(zCredentialOfferObjectDraft14);
+var zCredentialOfferObject = z.union([
+  // First prioritize draft 14 (and 13)
+  zCredentialOfferObjectDraft14,
+  // Then try parsing draft 11 and transform into draft 14
+  zCredentialOfferObjectDraft11To14
+]);
+
+// src/credential-offer/credential-offer.ts
+async function resolveCredentialOffer(credentialOffer, options) {
+  const parsedQueryParams = getQueryParams(credentialOffer);
+  let credentialOfferParseResult;
+  if (parsedQueryParams.credential_offer_uri) {
+    const fetchWithZod = createZodFetcher(options?.fetch);
+    const { response, result } = await fetchWithZod(
+      zCredentialOfferObject,
+      ContentType.Json,
+      parsedQueryParams.credential_offer_uri
+    );
+    if (!response.ok || !result) {
+      throw new InvalidFetchResponseError(
+        `Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccesfull response with status '${response.status}'`,
+        await response.clone().text(),
+        response
+      );
+    }
+    credentialOfferParseResult = result;
+  } else if (parsedQueryParams.credential_offer) {
+    let credentialOfferJson;
+    try {
+      credentialOfferJson = JSON.parse(decodeURIComponent(parsedQueryParams.credential_offer));
+    } catch (error) {
+      throw new Oauth2Error(`Error parsing JSON from 'credential_offer' param in credential offer '${credentialOffer}'`);
+    }
+    credentialOfferParseResult = zCredentialOfferObject.safeParse(credentialOfferJson);
+  } else {
+    throw new Oauth2Error(`Credential offer did not contain either 'credential_offer' or 'credential_offer_uri' param.`);
+  }
+  if (credentialOfferParseResult.error) {
+    throw new ValidationError(
+      `Error parsing credential offer in draft 11, 13 or 14 format extracted from credential offer '${credentialOffer}'`,
+      credentialOfferParseResult.error
+    );
+  }
+  return credentialOfferParseResult.data;
+}
+function determineAuthorizationServerForCredentialOffer(options) {
+  const authorizationServers = options.issuerMetadata.credentialIssuer.authorization_servers;
+  let authorizationServer;
+  if (options.grantAuthorizationServer) {
+    authorizationServer = options.grantAuthorizationServer;
+    if (!authorizationServers) {
+      throw new Oauth2Error(
+        `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not have an 'authorization_servers' property to match the value against.`
+      );
+    }
+    if (!authorizationServers.includes(authorizationServer)) {
+      throw new Oauth2Error(
+        `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not include this authorization server. Available 'authorization_server' values are ${authorizationServers.join(", ")}.`
+      );
+    }
+  } else if (!authorizationServers) {
+    authorizationServer = options.issuerMetadata.credentialIssuer.credential_issuer;
+  } else {
+    if (authorizationServers.length === 0) {
+      throw new Oauth2Error(`Credential issuer metadata has 'authorization_servers' value with length of 0`);
+    }
+    if (authorizationServers.length > 1) {
+      throw new Oauth2Error(
+        `Credential issuer metadata has 'authorization_server' with multiple entries, but the credential offer grant did not specify which authorization server to use.`
+      );
+    }
+    authorizationServer = authorizationServers[0];
+  }
+  return authorizationServer;
+}
+async function createCredentialOffer(options) {
+  const {
+    [preAuthorizedCodeGrantIdentifier2]: preAuthorizedCodeGrant,
+    [authorizationCodeGrantIdentifier]: authorizationCodeGrant,
+    ...restGrants
+  } = options.grants;
+  const grants = { ...restGrants };
+  if (authorizationCodeGrant) {
+    determineAuthorizationServerForCredentialOffer({
+      issuerMetadata: options.issuerMetadata,
+      grantAuthorizationServer: authorizationCodeGrant.authorization_server
+    });
+    grants[authorizationCodeGrantIdentifier] = authorizationCodeGrant;
+  }
+  if (preAuthorizedCodeGrant) {
+    determineAuthorizationServerForCredentialOffer({
+      issuerMetadata: options.issuerMetadata,
+      grantAuthorizationServer: preAuthorizedCodeGrant.authorization_server
+    });
+    grants[preAuthorizedCodeGrantIdentifier2] = {
+      ...preAuthorizedCodeGrant,
+      "pre-authorized_code": preAuthorizedCodeGrant["pre-authorized_code"] ?? encodeToBase64Url(await options.callbacks.generateRandom(32))
+    };
+    const txCode = grants[preAuthorizedCodeGrantIdentifier2].tx_code;
+    if (txCode && options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
+      grants[preAuthorizedCodeGrantIdentifier2].user_pin_required = txCode !== void 0;
+    }
+  }
+  const idsNotInMetadata = options.credentialConfigurationIds.filter(
+    (id) => options.issuerMetadata.credentialIssuer.credential_configurations_supported[id] === void 0
+  );
+  if (idsNotInMetadata.length > 0) {
+    throw new Oauth2Error(
+      `Credential configuration ids ${idsNotInMetadata} not found in the credential issuer metadata 'credential_configurations_supported'. Available ids are ${Object.keys(options.issuerMetadata.credentialIssuer.credential_configurations_supported).join(", ")}.`
+    );
+  }
+  const credentialOfferScheme = options.credentialOfferScheme ?? "openid-credential-offer://";
+  const credentialOfferObject = parseWithErrorHandling(zCredentialOfferObject, {
+    credential_issuer: options.issuerMetadata.credentialIssuer.credential_issuer,
+    credential_configuration_ids: options.credentialConfigurationIds,
+    grants,
+    ...options.additionalPayload
+  });
+  if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
+    credentialOfferObject.credentials = credentialOfferObject.credential_configuration_ids;
+  }
+  const url = new URL(credentialOfferScheme);
+  url.search = `?${new URLSearchParams([
+    ...url.searchParams.entries(),
+    ...objectToQueryParams({
+      credential_offer_uri: options.credentialOfferUri,
+      // Only add credential_offer is uri is undefined
+      credential_offer: options.credentialOfferUri ? void 0 : credentialOfferObject
+    }).entries()
+  ]).toString()}`;
+  return {
+    credentialOffer: url.toString(),
+    credentialOfferObject
+  };
+}
+
 // src/index.ts
 import { getGlobalConfig, setGlobalConfig } from "@openid4vc/utils";
 
@@ -5,38 +233,38 @@ import { getGlobalConfig, setGlobalConfig } from "@openid4vc/utils";
 import { arrayEqualsIgnoreOrder } from "@openid4vc/utils";
 
 // src/metadata/credential-issuer/credential-issuer-metadata.ts
-import { Oauth2Error, fetchWellKnownMetadata } from "@openid4vc/oauth2";
+import { Oauth2Error as Oauth2Error2, fetchWellKnownMetadata } from "@openid4vc/oauth2";
 import { joinUriParts } from "@openid4vc/utils";
 
 // src/metadata/credential-issuer/z-credential-issuer-metadata.ts
 import { zCompactJwt } from "@openid4vc/oauth2";
-import { zHttpsUrl } from "@openid4vc/utils";
-import z11 from "zod";
+import { zHttpsUrl as zHttpsUrl2 } from "@openid4vc/utils";
+import z12 from "zod";
 
 // src/formats/credential/mso-mdoc/z-mso-mdoc.ts
-import z2 from "zod";
+import z3 from "zod";
 
 // src/metadata/credential-issuer/z-claims-description.ts
-import z from "zod";
-var zCredentialConfigurationSupportedClaimsDraft14 = z.object({
-  mandatory: z.boolean().optional(),
-  value_type: z.string().optional(),
-  display: z.object({
-    name: z.string().optional(),
-    locale: z.string().optional()
+import z2 from "zod";
+var zCredentialConfigurationSupportedClaimsDraft14 = z2.object({
+  mandatory: z2.boolean().optional(),
+  value_type: z2.string().optional(),
+  display: z2.object({
+    name: z2.string().optional(),
+    locale: z2.string().optional()
   }).passthrough().optional()
 }).passthrough();
-var zClaimsDescriptionPath = z.array(z.union([z.string(), z.number().int().nonnegative(), z.null()])).nonempty();
-var zMsoMdocClaimsDescriptionPath = z.tuple([z.string(), z.string()], {
+var zClaimsDescriptionPath = z2.array(z2.union([z2.string(), z2.number().int().nonnegative(), z2.null()])).nonempty();
+var zMsoMdocClaimsDescriptionPath = z2.tuple([z2.string(), z2.string()], {
   message: "mso_mdoc claims description path MUST be an array with exactly two string elements, pointing to the namespace and element identifier within an mdoc credential"
 });
-var zIssuerMetadataClaimsDescription = z.object({
+var zIssuerMetadataClaimsDescription = z2.object({
   path: zClaimsDescriptionPath,
-  mandatory: z.boolean().optional(),
-  display: z.array(
-    z.object({
-      name: z.string().optional(),
-      locale: z.string().optional()
+  mandatory: z2.boolean().optional(),
+  display: z2.array(
+    z2.object({
+      name: z2.string().optional(),
+      locale: z2.string().optional()
     }).passthrough()
   ).optional()
 }).passthrough();
@@ -45,97 +273,97 @@ var zMsoMdocIssuerMetadataClaimsDescription = zIssuerMetadataClaimsDescription.e
 });
 
 // src/formats/credential/mso-mdoc/z-mso-mdoc.ts
-var zMsoMdocFormatIdentifier = z2.literal("mso_mdoc");
-var zMsoMdocCredentialIssuerMetadata = z2.object({
+var zMsoMdocFormatIdentifier = z3.literal("mso_mdoc");
+var zMsoMdocCredentialIssuerMetadata = z3.object({
   format: zMsoMdocFormatIdentifier,
-  doctype: z2.string(),
-  claims: z2.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
+  doctype: z3.string(),
+  claims: z3.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
 });
-var zMsoMdocCredentialIssuerMetadataDraft14 = z2.object({
+var zMsoMdocCredentialIssuerMetadataDraft14 = z3.object({
   format: zMsoMdocFormatIdentifier,
-  doctype: z2.string(),
+  doctype: z3.string(),
   claims: zCredentialConfigurationSupportedClaimsDraft14.optional(),
-  order: z2.optional(z2.array(z2.string()))
+  order: z3.optional(z3.array(z3.string()))
 });
-var zMsoMdocCredentialRequestFormatDraft14 = z2.object({
+var zMsoMdocCredentialRequestFormatDraft14 = z3.object({
   format: zMsoMdocFormatIdentifier,
-  doctype: z2.string(),
+  doctype: z3.string(),
   // Format based request is removed in Draft 15, so only old claims syntax supported.
-  claims: z2.optional(zCredentialConfigurationSupportedClaimsDraft14)
+  claims: z3.optional(zCredentialConfigurationSupportedClaimsDraft14)
 });
 
 // src/formats/credential/sd-jwt-vc/z-sd-jwt-vc.ts
-import z3 from "zod";
-var zSdJwtVcFormatIdentifier = z3.literal("vc+sd-jwt");
-var zSdJwtVcCredentialIssuerMetadataDraft14 = z3.object({
-  vct: z3.string(),
+import z4 from "zod";
+var zSdJwtVcFormatIdentifier = z4.literal("vc+sd-jwt");
+var zSdJwtVcCredentialIssuerMetadataDraft14 = z4.object({
+  vct: z4.string(),
   format: zSdJwtVcFormatIdentifier,
-  claims: z3.optional(zCredentialConfigurationSupportedClaimsDraft14),
-  order: z3.optional(z3.array(z3.string()))
+  claims: z4.optional(zCredentialConfigurationSupportedClaimsDraft14),
+  order: z4.optional(z4.array(z4.string()))
 });
-var zSdJwtVcCredentialRequestFormatDraft14 = z3.object({
+var zSdJwtVcCredentialRequestFormatDraft14 = z4.object({
   format: zSdJwtVcFormatIdentifier,
-  vct: z3.string(),
-  claims: z3.optional(zCredentialConfigurationSupportedClaimsDraft14)
+  vct: z4.string(),
+  claims: z4.optional(zCredentialConfigurationSupportedClaimsDraft14)
 });
 
 // src/formats/credential/sd-jwt-dc/z-sd-jwt-dc.ts
-import z4 from "zod";
-var zSdJwtDcFormatIdentifier = z4.literal("dc+sd-jwt");
-var zSdJwtDcCredentialIssuerMetadata = z4.object({
-  vct: z4.string(),
+import z5 from "zod";
+var zSdJwtDcFormatIdentifier = z5.literal("dc+sd-jwt");
+var zSdJwtDcCredentialIssuerMetadata = z5.object({
+  vct: z5.string(),
   format: zSdJwtDcFormatIdentifier,
-  claims: z4.array(zIssuerMetadataClaimsDescription).optional()
+  claims: z5.array(zIssuerMetadataClaimsDescription).optional()
 });
 
 // src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
-import z6 from "zod";
+import z7 from "zod";
 
 // src/formats/credential/w3c-vc/z-w3c-vc-common.ts
-import z5 from "zod";
-var zCredentialSubjectLeafTypeDraft14 = z5.object({
-  mandatory: z5.boolean().optional(),
-  value_type: z5.string().optional(),
-  display: z5.array(
-    z5.object({
-      name: z5.string().optional(),
-      locale: z5.string().optional()
+import z6 from "zod";
+var zCredentialSubjectLeafTypeDraft14 = z6.object({
+  mandatory: z6.boolean().optional(),
+  value_type: z6.string().optional(),
+  display: z6.array(
+    z6.object({
+      name: z6.string().optional(),
+      locale: z6.string().optional()
     }).passthrough()
   ).optional()
 }).passthrough();
-var zClaimValueSchemaDraft14 = z5.union([
-  z5.array(z5.any()),
-  z5.record(z5.string(), z5.any()),
+var zClaimValueSchemaDraft14 = z6.union([
+  z6.array(z6.any()),
+  z6.record(z6.string(), z6.any()),
   zCredentialSubjectLeafTypeDraft14
 ]);
-var zW3cVcCredentialSubjectDraft14 = z5.record(z5.string(), zClaimValueSchemaDraft14);
-var zW3cVcJsonLdCredentialDefinition = z5.object({
-  "@context": z5.array(z5.string()),
-  type: z5.array(z5.string())
+var zW3cVcCredentialSubjectDraft14 = z6.record(z6.string(), zClaimValueSchemaDraft14);
+var zW3cVcJsonLdCredentialDefinition = z6.object({
+  "@context": z6.array(z6.string()),
+  type: z6.array(z6.string())
 }).passthrough();
 var zW3cVcJsonLdCredentialDefinitionDraft14 = zW3cVcJsonLdCredentialDefinition.extend({
   credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 });
 
 // src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
-var zLdpVcFormatIdentifier = z6.literal("ldp_vc");
-var zLdpVcCredentialIssuerMetadata = z6.object({
+var zLdpVcFormatIdentifier = z7.literal("ldp_vc");
+var zLdpVcCredentialIssuerMetadata = z7.object({
   format: zLdpVcFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition,
   claims: zIssuerMetadataClaimsDescription.optional()
 });
-var zLdpVcCredentialIssuerMetadataDraft14 = z6.object({
+var zLdpVcCredentialIssuerMetadataDraft14 = z7.object({
   format: zLdpVcFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
-  order: z6.array(z6.string()).optional()
+  order: z7.array(z7.string()).optional()
 });
-var zLdpVcCredentialIssuerMetadataDraft11 = z6.object({
-  order: z6.array(z6.string()).optional(),
+var zLdpVcCredentialIssuerMetadataDraft11 = z7.object({
+  order: z7.array(z7.string()).optional(),
   format: zLdpVcFormatIdentifier,
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
-  "@context": z6.array(z6.string()),
-  types: z6.array(z6.string()),
+  "@context": z7.array(z7.string()),
+  types: z7.array(z7.string()),
   credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDraft11.transform(
@@ -154,16 +382,16 @@ var zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadataDr
   ...credentialDefinition,
   types: type
 })).pipe(zLdpVcCredentialIssuerMetadataDraft11);
-var zLdpVcCredentialRequestFormatDraft14 = z6.object({
+var zLdpVcCredentialRequestFormatDraft14 = z7.object({
   format: zLdpVcFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14
 });
-var zLdpVcCredentialRequestDraft11 = z6.object({
+var zLdpVcCredentialRequestDraft11 = z7.object({
   format: zLdpVcFormatIdentifier,
-  credential_definition: z6.object({
-    "@context": z6.array(z6.string()),
+  credential_definition: z7.object({
+    "@context": z7.array(z7.string()),
     // credential_definition was using types instead of type in v11
-    types: z6.array(z6.string()),
+    types: z7.array(z7.string()),
     credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
   })
 }).passthrough();
@@ -185,25 +413,25 @@ var zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormatDraft14.pa
 })).pipe(zLdpVcCredentialRequestDraft11);
 
 // src/formats/credential/w3c-vc/z-w3c-jwt-vc-json-ld.ts
-import z7 from "zod";
-var zJwtVcJsonLdFormatIdentifier = z7.literal("jwt_vc_json-ld");
-var zJwtVcJsonLdCredentialIssuerMetadata = z7.object({
+import z8 from "zod";
+var zJwtVcJsonLdFormatIdentifier = z8.literal("jwt_vc_json-ld");
+var zJwtVcJsonLdCredentialIssuerMetadata = z8.object({
   format: zJwtVcJsonLdFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition,
   claims: zIssuerMetadataClaimsDescription.optional()
 });
-var zJwtVcJsonLdCredentialIssuerMetadataDraft14 = z7.object({
+var zJwtVcJsonLdCredentialIssuerMetadataDraft14 = z8.object({
   format: zJwtVcJsonLdFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
-  order: z7.optional(z7.array(z7.string()))
+  order: z8.optional(z8.array(z8.string()))
 });
-var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = z7.object({
-  order: z7.array(z7.string()).optional(),
+var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = z8.object({
+  order: z8.array(z8.string()).optional(),
   format: zJwtVcJsonLdFormatIdentifier,
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
-  "@context": z7.array(z7.string()),
-  types: z7.array(z7.string()),
+  "@context": z8.array(z8.string()),
+  types: z8.array(z8.string()),
   credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssuerMetadataDraft11.transform(
@@ -222,17 +450,17 @@ var zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssu
   ...credentialDefinition,
   types: type
 })).pipe(zJwtVcJsonLdCredentialIssuerMetadataDraft11);
-var zJwtVcJsonLdCredentialRequestFormatDraft14 = z7.object({
+var zJwtVcJsonLdCredentialRequestFormatDraft14 = z8.object({
   format: zJwtVcJsonLdFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition
 });
-var zJwtVcJsonLdCredentialRequestDraft11 = z7.object({
+var zJwtVcJsonLdCredentialRequestDraft11 = z8.object({
   format: zJwtVcJsonLdFormatIdentifier,
-  credential_definition: z7.object({
-    "@context": z7.array(z7.string()),
+  credential_definition: z8.object({
+    "@context": z8.array(z8.string()),
     // credential_definition was using types instead of type in v11
-    types: z7.array(z7.string()),
-    credentialSubject: z7.optional(zW3cVcCredentialSubjectDraft14)
+    types: z8.array(z8.string()),
+    credentialSubject: z8.optional(zW3cVcCredentialSubjectDraft14)
   }).passthrough()
 }).passthrough();
 var zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraft11.transform(
@@ -253,30 +481,30 @@ var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestForm
 })).pipe(zJwtVcJsonLdCredentialRequestDraft11);
 
 // src/formats/credential/w3c-vc/z-w3c-jwt-vc-json.ts
-import z8 from "zod";
-var zJwtVcJsonFormatIdentifier = z8.literal("jwt_vc_json");
-var zJwtVcJsonCredentialDefinition = z8.object({
-  type: z8.array(z8.string())
+import z9 from "zod";
+var zJwtVcJsonFormatIdentifier = z9.literal("jwt_vc_json");
+var zJwtVcJsonCredentialDefinition = z9.object({
+  type: z9.array(z9.string())
 }).passthrough();
 var zJwtVcJsonCredentialDefinitionDraft14 = zJwtVcJsonCredentialDefinition.extend({
   credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 });
-var zJwtVcJsonCredentialIssuerMetadata = z8.object({
+var zJwtVcJsonCredentialIssuerMetadata = z9.object({
   format: zJwtVcJsonFormatIdentifier,
   credential_definition: zJwtVcJsonCredentialDefinition,
   claims: zIssuerMetadataClaimsDescription.optional()
 });
-var zJwtVcJsonCredentialIssuerMetadataDraft14 = z8.object({
+var zJwtVcJsonCredentialIssuerMetadataDraft14 = z9.object({
   format: zJwtVcJsonFormatIdentifier,
   credential_definition: zJwtVcJsonCredentialDefinitionDraft14,
-  order: z8.array(z8.string()).optional()
+  order: z9.array(z9.string()).optional()
 });
-var zJwtVcJsonCredentialIssuerMetadataDraft11 = z8.object({
+var zJwtVcJsonCredentialIssuerMetadataDraft11 = z9.object({
   format: zJwtVcJsonFormatIdentifier,
-  order: z8.array(z8.string()).optional(),
+  order: z9.array(z9.string()).optional(),
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
-  types: z8.array(z8.string()),
+  types: z9.array(z9.string()),
   credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMetadataDraft11.transform(
@@ -294,16 +522,16 @@ var zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMe
   types: type,
   ...credentialDefinition
 })).pipe(zJwtVcJsonCredentialIssuerMetadataDraft11);
-var zJwtVcJsonCredentialRequestFormatDraft14 = z8.object({
+var zJwtVcJsonCredentialRequestFormatDraft14 = z9.object({
   format: zJwtVcJsonFormatIdentifier,
   credential_definition: zJwtVcJsonCredentialDefinition
 });
-var zJwtVcJsonCredentialRequestDraft11 = z8.object({
+var zJwtVcJsonCredentialRequestDraft11 = z9.object({
   format: zJwtVcJsonFormatIdentifier,
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
-  types: z8.array(z8.string()),
-  credentialSubject: z8.optional(zW3cVcCredentialSubjectDraft14)
+  types: z9.array(z9.string()),
+  credentialSubject: z9.optional(zW3cVcCredentialSubjectDraft14)
 }).passthrough();
 var zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.transform(
   ({ types, credentialSubject, ...rest }) => {
@@ -323,81 +551,76 @@ var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormatDr
   ...credentialDefinition
 })).pipe(zJwtVcJsonCredentialRequestDraft11);
 
-// src/version.ts
-var Openid4vciDraftVersion = /* @__PURE__ */ ((Openid4vciDraftVersion2) => {
-  Openid4vciDraftVersion2["Draft15"] = "Draft15";
-  Openid4vciDraftVersion2["Draft14"] = "Draft14";
-  Openid4vciDraftVersion2["Draft11"] = "Draft11";
-  return Openid4vciDraftVersion2;
-})(Openid4vciDraftVersion || {});
-
 // src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
-import z10 from "zod";
+import z11 from "zod";
 
 // src/key-attestation/z-key-attestation.ts
 import { zJwk, zJwtHeader, zJwtPayload } from "@openid4vc/oauth2";
 import { zInteger } from "@openid4vc/utils";
-import z9 from "zod";
-var zKeyAttestationJwtHeader = z9.object({
+import z10 from "zod";
+var zKeyAttestationJwtHeader = z10.object({
   ...zJwtHeader.shape,
-  typ: z9.literal("keyattestation+jwt")
+  typ: z10.literal("keyattestation+jwt").or(
+    // Draft 16
+    z10.literal("key-attestation+jwt")
+  )
 }).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
   message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
 }).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
   message: `When 'trust_chain' is provided, 'kid' is required`
 });
-var zIso18045 = z9.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
-var zIso18045OrStringArray = z9.array(z9.union([zIso18045, z9.string()]));
-var zKeyAttestationJwtPayload = z9.object({
+var zIso18045 = z10.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
+var zIso18045OrStringArray = z10.array(z10.union([zIso18045, z10.string()]));
+var zKeyAttestationJwtPayload = z10.object({
   ...zJwtPayload.shape,
   iat: zInteger,
-  attested_keys: z9.array(zJwk),
-  key_storage: z9.optional(zIso18045OrStringArray),
-  user_authentication: z9.optional(zIso18045OrStringArray),
-  certification: z9.optional(z9.string().url())
+  attested_keys: z10.array(zJwk),
+  key_storage: z10.optional(zIso18045OrStringArray),
+  user_authentication: z10.optional(zIso18045OrStringArray),
+  certification: z10.optional(z10.string().url())
 }).passthrough();
-var zKeyAttestationJwtPayloadForUse = (use) => z9.object({
+var zKeyAttestationJwtPayloadForUse = (use) => z10.object({
   ...zKeyAttestationJwtPayload.shape,
   // REQUIRED when used as proof_type.attesation directly
-  nonce: use === "proof_type.attestation" ? z9.string({
+  nonce: use === "proof_type.attestation" ? z10.string({
     message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly`
-  }) : z9.optional(z9.string()),
+  }) : z10.optional(z10.string()),
   // REQUIRED when used within header of proof_type.jwt
-  exp: use === "proof_type.jwt" ? zInteger : z9.optional(zInteger)
+  exp: use === "proof_type.jwt" ? zInteger : z10.optional(zInteger)
 }).passthrough();
 
 // src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
-var zCredentialConfigurationSupportedCommon = z10.object({
-  format: z10.string(),
-  scope: z10.string().optional(),
-  cryptographic_binding_methods_supported: z10.array(z10.string()).optional(),
-  credential_signing_alg_values_supported: z10.array(z10.string()).optional(),
-  proof_types_supported: z10.record(
-    z10.union([z10.literal("jwt"), z10.literal("attestation"), z10.string()]),
-    z10.object({
-      proof_signing_alg_values_supported: z10.array(z10.string()),
-      key_attestations_required: z10.object({
+var zCredentialConfigurationSupportedCommon = z11.object({
+  format: z11.string(),
+  scope: z11.string().optional(),
+  cryptographic_binding_methods_supported: z11.array(z11.string()).optional(),
+  credential_signing_alg_values_supported: z11.array(z11.string()).optional(),
+  proof_types_supported: z11.record(
+    z11.union([z11.literal("jwt"), z11.literal("attestation"), z11.string()]),
+    z11.object({
+      proof_signing_alg_values_supported: z11.array(z11.string()),
+      key_attestations_required: z11.object({
         key_storage: zIso18045OrStringArray.optional(),
         user_authentication: zIso18045OrStringArray.optional()
       }).passthrough().optional()
     })
   ).optional(),
-  display: z10.array(
-    z10.object({
-      name: z10.string(),
-      locale: z10.string().optional(),
-      logo: z10.object({
+  display: z11.array(
+    z11.object({
+      name: z11.string(),
+      locale: z11.string().optional(),
+      logo: z11.object({
         // FIXME: make required again, but need to support draft 11 first
-        uri: z10.string().optional(),
-        alt_text: z10.string().optional()
+        uri: z11.string().optional(),
+        alt_text: z11.string().optional()
       }).passthrough().optional(),
-      description: z10.string().optional(),
-      background_color: z10.string().optional(),
-      background_image: z10.object({
+      description: z11.string().optional(),
+      background_color: z11.string().optional(),
+      background_image: z11.object({
         // TODO: should be required, but paradym's metadata is wrong here.
-        uri: z10.string().optional()
+        uri: z11.string().optional()
       }).passthrough().optional(),
-      text_color: z10.string().optional()
+      text_color: z11.string().optional()
     }).passthrough()
   ).optional()
 }).passthrough();
@@ -432,8 +655,8 @@ var zCredentialConfigurationSupportedWithFormats = zCredentialConfigurationSuppo
       },
       {}
     )[data.format];
-    const result = z11.object({}).passthrough().and(
-      validators.length > 1 ? z11.union(validators) : validators[0]
+    const result = z12.object({}).passthrough().and(
+      validators.length > 1 ? z12.union(validators) : validators[0]
     ).safeParse(data);
     if (result.success) {
       return result.data;
@@ -441,49 +664,49 @@ var zCredentialConfigurationSupportedWithFormats = zCredentialConfigurationSuppo
     for (const issue of result.error.issues) {
       ctx.addIssue(issue);
     }
-    return z11.NEVER;
+    return z12.NEVER;
   }
 );
-var zCredentialIssuerMetadataDisplayEntry = z11.object({
-  name: z11.string().optional(),
-  locale: z11.string().optional(),
-  logo: z11.object({
+var zCredentialIssuerMetadataDisplayEntry = z12.object({
+  name: z12.string().optional(),
+  locale: z12.string().optional(),
+  logo: z12.object({
     // FIXME: make required again, but need to support draft 11 first
-    uri: z11.string().optional(),
-    alt_text: z11.string().optional()
+    uri: z12.string().optional(),
+    alt_text: z12.string().optional()
   }).passthrough().optional()
 }).passthrough();
-var zCredentialIssuerMetadataDraft14Draft15 = z11.object({
-  credential_issuer: zHttpsUrl,
-  authorization_servers: z11.array(zHttpsUrl).optional(),
-  credential_endpoint: zHttpsUrl,
-  deferred_credential_endpoint: zHttpsUrl.optional(),
-  notification_endpoint: zHttpsUrl.optional(),
+var zCredentialIssuerMetadataDraft14Draft15 = z12.object({
+  credential_issuer: zHttpsUrl2,
+  authorization_servers: z12.array(zHttpsUrl2).optional(),
+  credential_endpoint: zHttpsUrl2,
+  deferred_credential_endpoint: zHttpsUrl2.optional(),
+  notification_endpoint: zHttpsUrl2.optional(),
   // Added after draft 14, but needed for proper
-  nonce_endpoint: zHttpsUrl.optional(),
-  credential_response_encryption: z11.object({
-    alg_values_supported: z11.array(z11.string()),
-    enc_values_supported: z11.array(z11.string()),
-    encryption_required: z11.boolean()
+  nonce_endpoint: zHttpsUrl2.optional(),
+  credential_response_encryption: z12.object({
+    alg_values_supported: z12.array(z12.string()),
+    enc_values_supported: z12.array(z12.string()),
+    encryption_required: z12.boolean()
   }).passthrough().optional(),
-  batch_credential_issuance: z11.object({
-    batch_size: z11.number().positive()
+  batch_credential_issuance: z12.object({
+    batch_size: z12.number().positive()
   }).passthrough().optional(),
   signed_metadata: zCompactJwt.optional(),
-  display: z11.array(zCredentialIssuerMetadataDisplayEntry).optional(),
-  credential_configurations_supported: z11.record(z11.string(), zCredentialConfigurationSupportedWithFormats)
+  display: z12.array(zCredentialIssuerMetadataDisplayEntry).optional(),
+  credential_configurations_supported: z12.record(z12.string(), zCredentialConfigurationSupportedWithFormats)
 }).passthrough();
-var zCredentialConfigurationSupportedDraft11To14 = z11.object({
-  id: z11.string().optional(),
-  format: z11.string(),
-  cryptographic_suites_supported: z11.array(z11.string()).optional(),
-  display: z11.array(
-    z11.object({
-      logo: z11.object({
-        url: z11.string().url().optional()
+var zCredentialConfigurationSupportedDraft11To14 = z12.object({
+  id: z12.string().optional(),
+  format: z12.string(),
+  cryptographic_suites_supported: z12.array(z12.string()).optional(),
+  display: z12.array(
+    z12.object({
+      logo: z12.object({
+        url: z12.string().url().optional()
       }).passthrough().optional(),
-      background_image: z11.object({
-        url: z11.string().url().optional()
+      background_image: z12.object({
+        url: z12.string().url().optional()
       }).passthrough().optional()
     }).passthrough()
   ).optional()
@@ -524,11 +747,11 @@ var zCredentialConfigurationSupportedDraft11To14 = z11.object({
   for (const issue of result.error.issues) {
     ctx.addIssue(issue);
   }
-  return z11.NEVER;
+  return z12.NEVER;
 }).pipe(zCredentialConfigurationSupportedWithFormats);
 var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSupportedWithFormats.and(
-  z11.object({
-    id: z11.string()
+  z12.object({
+    id: z12.string()
   }).passthrough()
 ).transform(({ id, credential_signing_alg_values_supported, display, proof_types_supported, scope, ...rest }) => ({
   ...rest,
@@ -548,15 +771,15 @@ var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSuppo
   } : {},
   id
 })).pipe(
-  z11.union([
+  z12.union([
     zLdpVcCredentialIssuerMetadataDraft14To11,
     zJwtVcJsonCredentialIssuerMetadataDraft14To11,
     zJwtVcJsonLdCredentialIssuerMetadataDraft14To11,
     // To handle unrecognized formats and not error immediately we allow the common format as well
     // but they can't use any of the foramt identifiers that have a specific transformation. This way if a format is
     // has a transformation it NEEDS to use the format specific transformation, and otherwise we fall back to the common validation
-    z11.object({
-      format: z11.string().refine(
+    z12.object({
+      format: z12.string().refine(
         (input) => ![
           zLdpVcFormatIdentifier.value,
           zJwtVcJsonFormatIdentifier.value,
@@ -566,11 +789,11 @@ var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSuppo
     }).passthrough()
   ])
 );
-var zCredentialIssuerMetadataDraft11To14 = z11.object({
-  authorization_server: z11.string().optional(),
-  credentials_supported: z11.array(
-    z11.object({
-      id: z11.string().optional()
+var zCredentialIssuerMetadataDraft11To14 = z12.object({
+  authorization_server: z12.string().optional(),
+  credentials_supported: z12.array(
+    z12.object({
+      id: z12.string().optional()
     }).passthrough()
   )
 }).passthrough().transform(({ authorization_server, credentials_supported, ...rest }) => {
@@ -583,9 +806,9 @@ var zCredentialIssuerMetadataDraft11To14 = z11.object({
     )
   };
 }).pipe(
-  z11.object({
+  z12.object({
     // Update from v11 structrue to v14 structure
-    credential_configurations_supported: z11.record(z11.string(), zCredentialConfigurationSupportedDraft11To14)
+    credential_configurations_supported: z12.record(z12.string(), zCredentialConfigurationSupportedDraft11To14)
   }).passthrough()
 ).pipe(zCredentialIssuerMetadataDraft14Draft15);
 var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15.transform((issuerMetadata) => ({
@@ -597,16 +820,16 @@ var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft
   }))
 })).pipe(
   zCredentialIssuerMetadataDraft14Draft15.extend({
-    credentials_supported: z11.array(zCredentialConfigurationSupportedDraft14To11)
+    credentials_supported: z12.array(zCredentialConfigurationSupportedDraft14To11)
   })
 );
-var zCredentialIssuerMetadata = z11.union([
+var zCredentialIssuerMetadata = z12.union([
   // First prioritize draft 15/14 (and 13)
   zCredentialIssuerMetadataDraft14Draft15,
   // Then try parsing draft 11 and transform into draft 14
   zCredentialIssuerMetadataDraft11To14
 ]);
-var zCredentialIssuerMetadataWithDraftVersion = z11.union([
+var zCredentialIssuerMetadataWithDraftVersion = z12.union([
   zCredentialIssuerMetadataDraft14Draft15.transform((credentialIssuerMetadata) => {
     const isDraft15 = Object.values(credentialIssuerMetadata.credential_configurations_supported).some(
       (configuration) => {
@@ -638,7 +861,7 @@ async function fetchCredentialIssuerMetadata(credentialIssuer, fetch) {
   const wellKnownMetadataUrl = joinUriParts(credentialIssuer, [wellKnownCredentialIssuerSuffix]);
   const result = await fetchWellKnownMetadata(wellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
   if (result && result.credentialIssuerMetadata.credential_issuer !== credentialIssuer) {
-    throw new Oauth2Error(
+    throw new Oauth2Error2(
       `The 'credential_issuer' parameter '${result.credentialIssuerMetadata.credential_issuer}' in the well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`
     );
   }
@@ -654,7 +877,7 @@ function extractKnownCredentialConfigurationSupportedFormats(credentialConfigura
 function getCredentialConfigurationSupportedById(credentialConfigurations, credentialConfigurationId) {
   const configuration = credentialConfigurations[credentialConfigurationId];
   if (!configuration) {
-    throw new Oauth2Error(
+    throw new Oauth2Error2(
       `Credential configuration with id '${credentialConfigurationId}' not found in credential configurations supported.`
     );
   }
@@ -716,24 +939,76 @@ var Openid4vciSendNotificationError = class extends Openid4vciError {
     super(message);
     this.response = response;
   }
-};
+};
+
+// src/key-attestation/key-attestation.ts
+import { decodeJwt, jwtHeaderFromJwtSigner } from "@openid4vc/oauth2";
+import { jwtSignerFromJwt, verifyJwt } from "@openid4vc/oauth2";
+import { dateToSeconds, parseWithErrorHandling as parseWithErrorHandling2 } from "@openid4vc/utils";
+async function createKeyAttestationJwt(options) {
+  const header = parseWithErrorHandling2(zKeyAttestationJwtHeader, {
+    ...jwtHeaderFromJwtSigner(options.signer),
+    typ: "keyattestation+jwt"
+  });
+  const payload = parseWithErrorHandling2(zKeyAttestationJwtPayloadForUse(options.use), {
+    iat: dateToSeconds(options.issuedAt),
+    exp: options.expiresAt ? dateToSeconds(options.expiresAt) : void 0,
+    nonce: options.nonce,
+    attested_keys: options.attestedKeys,
+    user_authentication: options.userAuthentication,
+    key_storage: options.keyStorage,
+    certification: options.certification,
+    ...options.additionalPayload
+  });
+  const { jwt } = await options.callbacks.signJwt(options.signer, { header, payload });
+  return jwt;
+}
+function parseKeyAttestationJwt({ keyAttestationJwt, use }) {
+  return decodeJwt({
+    jwt: keyAttestationJwt,
+    headerSchema: zKeyAttestationJwtHeader,
+    payloadSchema: zKeyAttestationJwtPayloadForUse(use)
+  });
+}
+async function verifyKeyAttestationJwt(options) {
+  const { header, payload } = parseKeyAttestationJwt({ keyAttestationJwt: options.keyAttestationJwt, use: options.use });
+  const now = options.now?.getTime() ?? Date.now();
+  if (options.nonceExpiresAt && now > options.nonceExpiresAt.getTime()) {
+    throw new Openid4vciError("Nonce used for key attestation jwt expired");
+  }
+  const { signer } = await verifyJwt({
+    compact: options.keyAttestationJwt,
+    header,
+    payload,
+    signer: jwtSignerFromJwt({ header, payload }),
+    verifyJwtCallback: options.callbacks.verifyJwt,
+    errorMessage: "Error verifiying key attestation jwt",
+    expectedNonce: options.expectedNonce,
+    now: options.now
+  });
+  return {
+    header,
+    payload,
+    signer
+  };
+}
 
 // src/metadata/credential-issuer/credential-configurations.ts
-import { Oauth2Error as Oauth2Error2 } from "@openid4vc/oauth2";
-import { ValidationError } from "@openid4vc/utils";
+import { Oauth2Error as Oauth2Error3 } from "@openid4vc/oauth2";
+import { ValidationError as ValidationError2 } from "@openid4vc/utils";
 function extractScopesForCredentialConfigurationIds(options) {
   const scopes = /* @__PURE__ */ new Set();
   for (const credentialConfigurationId of options.credentialConfigurationIds) {
     const credentialConfiguration = options.issuerMetadata.credentialIssuer.credential_configurations_supported[credentialConfigurationId];
     if (!credentialConfiguration) {
-      throw new Oauth2Error2(
+      throw new Oauth2Error3(
         `Credential configuration with id '${credentialConfigurationId}' not found in metadata from credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}'`
       );
     }
     const scope = credentialConfiguration.scope;
     if (scope) scopes.add(scope);
     else if (!scope && options.throwOnConfigurationWithoutScope) {
-      throw new Oauth2Error2(
+      throw new Oauth2Error3(
         `Credential configuration with id '${credentialConfigurationId}' does not have a 'scope' configured, and 'throwOnConfigurationWithoutScope' was enabled.`
       );
     }
@@ -751,7 +1026,7 @@ function credentialsSupportedToCredentialConfigurationsSupported(credentialsSupp
     }
     const parseResult = zCredentialConfigurationSupportedDraft11To14.safeParse(credentialSupported);
     if (!parseResult.success) {
-      throw new ValidationError(
+      throw new ValidationError2(
         `Error transforming credential supported with id '${credentialSupported.id}' to credential configuration supported format`,
         parseResult.error
       );
@@ -772,226 +1047,6 @@ import {
   preAuthorizedCodeGrantIdentifier as preAuthorizedCodeGrantIdentifier3
 } from "@openid4vc/oauth2";
 
-// src/credential-offer/credential-offer.ts
-import {
-  InvalidFetchResponseError,
-  Oauth2Error as Oauth2Error3,
-  authorizationCodeGrantIdentifier,
-  getAuthorizationServerMetadataFromList,
-  preAuthorizedCodeGrantIdentifier as preAuthorizedCodeGrantIdentifier2
-} from "@openid4vc/oauth2";
-import {
-  ContentType,
-  URL,
-  URLSearchParams,
-  ValidationError as ValidationError2,
-  createZodFetcher,
-  encodeToBase64Url,
-  getQueryParams,
-  objectToQueryParams,
-  parseWithErrorHandling
-} from "@openid4vc/utils";
-
-// src/credential-offer/z-credential-offer.ts
-import {
-  preAuthorizedCodeGrantIdentifier
-} from "@openid4vc/oauth2";
-import { zHttpsUrl as zHttpsUrl2 } from "@openid4vc/utils";
-import z12 from "zod";
-var zTxCode = z12.object({
-  input_mode: z12.union([z12.literal("numeric"), z12.literal("text")]).optional(),
-  length: z12.number().int().optional(),
-  description: z12.string().max(300).optional()
-}).passthrough();
-var zCredentialOfferGrants = z12.object({
-  authorization_code: z12.object({
-    issuer_state: z12.string().optional(),
-    authorization_server: zHttpsUrl2.optional()
-  }).passthrough().optional(),
-  [preAuthorizedCodeGrantIdentifier]: z12.object({
-    "pre-authorized_code": z12.string(),
-    tx_code: zTxCode.optional(),
-    authorization_server: zHttpsUrl2.optional()
-  }).passthrough().optional()
-}).passthrough();
-var zCredentialOfferObjectDraft14 = z12.object({
-  credential_issuer: zHttpsUrl2,
-  credential_configuration_ids: z12.array(z12.string()),
-  grants: z12.optional(zCredentialOfferGrants)
-}).passthrough();
-var zCredentialOfferObjectDraft11To14 = z12.object({
-  credential_issuer: zHttpsUrl2,
-  // We don't support the inline offer objects from draft 11
-  credentials: z12.array(
-    z12.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })
-  ),
-  grants: z12.optional(
-    z12.object({
-      // Has extra param in draft 14, but doesn't matter for transform purposes
-      authorization_code: zCredentialOfferGrants.shape.authorization_code,
-      [preAuthorizedCodeGrantIdentifier]: z12.object({
-        "pre-authorized_code": z12.string(),
-        user_pin_required: z12.optional(z12.boolean())
-      }).passthrough().optional()
-    })
-  )
-}).passthrough().transform(({ credentials, grants, ...rest }) => {
-  const v14 = {
-    ...rest,
-    credential_configuration_ids: credentials
-  };
-  if (grants) {
-    v14.grants = { ...grants };
-    if (grants[preAuthorizedCodeGrantIdentifier]) {
-      const { user_pin_required, ...restGrants } = grants[preAuthorizedCodeGrantIdentifier];
-      v14.grants[preAuthorizedCodeGrantIdentifier] = {
-        ...restGrants
-      };
-      if (user_pin_required) {
-        v14.grants[preAuthorizedCodeGrantIdentifier].tx_code = {
-          input_mode: "text"
-        };
-      }
-    }
-  }
-  return v14;
-}).pipe(zCredentialOfferObjectDraft14);
-var zCredentialOfferObject = z12.union([
-  // First prioritize draft 14 (and 13)
-  zCredentialOfferObjectDraft14,
-  // Then try parsing draft 11 and transform into draft 14
-  zCredentialOfferObjectDraft11To14
-]);
-
-// src/credential-offer/credential-offer.ts
-async function resolveCredentialOffer(credentialOffer, options) {
-  const parsedQueryParams = getQueryParams(credentialOffer);
-  let credentialOfferParseResult;
-  if (parsedQueryParams.credential_offer_uri) {
-    const fetchWithZod = createZodFetcher(options?.fetch);
-    const { response, result } = await fetchWithZod(
-      zCredentialOfferObject,
-      ContentType.Json,
-      parsedQueryParams.credential_offer_uri
-    );
-    if (!response.ok || !result) {
-      throw new InvalidFetchResponseError(
-        `Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccesfull response with status '${response.status}'`,
-        await response.clone().text(),
-        response
-      );
-    }
-    credentialOfferParseResult = result;
-  } else if (parsedQueryParams.credential_offer) {
-    let credentialOfferJson;
-    try {
-      credentialOfferJson = JSON.parse(decodeURIComponent(parsedQueryParams.credential_offer));
-    } catch (error) {
-      throw new Oauth2Error3(`Error parsing JSON from 'credential_offer' param in credential offer '${credentialOffer}'`);
-    }
-    credentialOfferParseResult = zCredentialOfferObject.safeParse(credentialOfferJson);
-  } else {
-    throw new Oauth2Error3(`Credential offer did not contain either 'credential_offer' or 'credential_offer_uri' param.`);
-  }
-  if (credentialOfferParseResult.error) {
-    throw new ValidationError2(
-      `Error parsing credential offer in draft 11, 13 or 14 format extracted from credential offer '${credentialOffer}'`,
-      credentialOfferParseResult.error
-    );
-  }
-  return credentialOfferParseResult.data;
-}
-function determineAuthorizationServerForCredentialOffer(options) {
-  const authorizationServers = options.issuerMetadata.credentialIssuer.authorization_servers;
-  let authorizationServer;
-  if (options.grantAuthorizationServer) {
-    authorizationServer = options.grantAuthorizationServer;
-    if (!authorizationServers) {
-      throw new Oauth2Error3(
-        `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not have an 'authorization_servers' property to match the value against.`
-      );
-    }
-    if (!authorizationServers.includes(authorizationServer)) {
-      throw new Oauth2Error3(
-        `Credential offer grant contains 'authorization_server' with value '${options.grantAuthorizationServer}' but credential issuer metadata does not include this authorization server. Available 'authorization_server' values are ${authorizationServers.join(", ")}.`
-      );
-    }
-  } else if (!authorizationServers) {
-    authorizationServer = options.issuerMetadata.credentialIssuer.credential_issuer;
-  } else {
-    if (authorizationServers.length === 0) {
-      throw new Oauth2Error3(`Credential issuer metadata has 'authorization_servers' value with length of 0`);
-    }
-    if (authorizationServers.length > 1) {
-      throw new Oauth2Error3(
-        `Credential issuer metadata has 'authorization_server' with multiple entries, but the credential offer grant did not specify which authorization server to use.`
-      );
-    }
-    authorizationServer = authorizationServers[0];
-  }
-  return authorizationServer;
-}
-async function createCredentialOffer(options) {
-  const {
-    [preAuthorizedCodeGrantIdentifier2]: preAuthorizedCodeGrant,
-    [authorizationCodeGrantIdentifier]: authorizationCodeGrant,
-    ...restGrants
-  } = options.grants;
-  const grants = { ...restGrants };
-  if (authorizationCodeGrant) {
-    determineAuthorizationServerForCredentialOffer({
-      issuerMetadata: options.issuerMetadata,
-      grantAuthorizationServer: authorizationCodeGrant.authorization_server
-    });
-    grants[authorizationCodeGrantIdentifier] = authorizationCodeGrant;
-  }
-  if (preAuthorizedCodeGrant) {
-    determineAuthorizationServerForCredentialOffer({
-      issuerMetadata: options.issuerMetadata,
-      grantAuthorizationServer: preAuthorizedCodeGrant.authorization_server
-    });
-    grants[preAuthorizedCodeGrantIdentifier2] = {
-      ...preAuthorizedCodeGrant,
-      "pre-authorized_code": preAuthorizedCodeGrant["pre-authorized_code"] ?? encodeToBase64Url(await options.callbacks.generateRandom(32))
-    };
-    const txCode = grants[preAuthorizedCodeGrantIdentifier2].tx_code;
-    if (txCode && options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
-      grants[preAuthorizedCodeGrantIdentifier2].user_pin_required = txCode !== void 0;
-    }
-  }
-  const idsNotInMetadata = options.credentialConfigurationIds.filter(
-    (id) => options.issuerMetadata.credentialIssuer.credential_configurations_supported[id] === void 0
-  );
-  if (idsNotInMetadata.length > 0) {
-    throw new Oauth2Error3(
-      `Credential configuration ids ${idsNotInMetadata} not found in the credential issuer metadata 'credential_configurations_supported'. Available ids are ${Object.keys(options.issuerMetadata.credentialIssuer.credential_configurations_supported).join(", ")}.`
-    );
-  }
-  const credentialOfferScheme = options.credentialOfferScheme ?? "openid-credential-offer://";
-  const credentialOfferObject = parseWithErrorHandling(zCredentialOfferObject, {
-    credential_issuer: options.issuerMetadata.credentialIssuer.credential_issuer,
-    credential_configuration_ids: options.credentialConfigurationIds,
-    grants,
-    ...options.additionalPayload
-  });
-  if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
-    credentialOfferObject.credentials = credentialOfferObject.credential_configuration_ids;
-  }
-  const url = new URL(credentialOfferScheme);
-  url.search = `?${new URLSearchParams([
-    ...url.searchParams.entries(),
-    ...objectToQueryParams({
-      credential_offer_uri: options.credentialOfferUri,
-      // Only add credential_offer is uri is undefined
-      credential_offer: options.credentialOfferUri ? void 0 : credentialOfferObject
-    }).entries()
-  ]).toString()}`;
-  return {
-    credentialOffer: url.toString(),
-    credentialOfferObject
-  };
-}
-
 // src/credential-request/format-payload.ts
 import { zIs } from "@openid4vc/utils";
 function getCredentialRequestFormatPayloadForCredentialConfigurationId(options) {
@@ -1052,7 +1107,7 @@ import {
   Oauth2Error as Oauth2Error4,
   resourceRequest
 } from "@openid4vc/oauth2";
-import { ContentType as ContentType2, isResponseContentType, parseWithErrorHandling as parseWithErrorHandling2 } from "@openid4vc/utils";
+import { ContentType as ContentType2, isResponseContentType, parseWithErrorHandling as parseWithErrorHandling3 } from "@openid4vc/utils";
 
 // src/credential-request/z-credential-request.ts
 import z16 from "zod";
@@ -1334,7 +1389,7 @@ async function retrieveCredentialsWithFormat(options) {
 }
 async function retrieveCredentials(options) {
   const credentialEndpoint = options.issuerMetadata.credentialIssuer.credential_endpoint;
-  let credentialRequest = parseWithErrorHandling2(
+  let credentialRequest = parseWithErrorHandling3(
     zCredentialRequest,
     options.credentialRequest,
     "Error validating credential request"
@@ -1354,7 +1409,7 @@ async function retrieveCredentials(options) {
     }
   }
   if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
-    credentialRequest = parseWithErrorHandling2(
+    credentialRequest = parseWithErrorHandling3(
       zCredentialRequestDraft14To11,
       credentialRequest,
       `Error transforming credential request from ${"Draft14" /* Draft14 */} to ${"Draft11" /* Draft11 */}`
@@ -1398,57 +1453,6 @@ async function retrieveCredentials(options) {
 import { decodeJwt as decodeJwt2, isJwkInSet, jwtHeaderFromJwtSigner as jwtHeaderFromJwtSigner2 } from "@openid4vc/oauth2";
 import { jwtSignerFromJwt as jwtSignerFromJwt2, verifyJwt as verifyJwt2 } from "@openid4vc/oauth2";
 import { dateToSeconds as dateToSeconds2, parseWithErrorHandling as parseWithErrorHandling4 } from "@openid4vc/utils";
-
-// src/key-attestation/key-attestation.ts
-import { decodeJwt, jwtHeaderFromJwtSigner } from "@openid4vc/oauth2";
-import { jwtSignerFromJwt, verifyJwt } from "@openid4vc/oauth2";
-import { dateToSeconds, parseWithErrorHandling as parseWithErrorHandling3 } from "@openid4vc/utils";
-async function createKeyAttestationJwt(options) {
-  const header = parseWithErrorHandling3(zKeyAttestationJwtHeader, {
-    ...jwtHeaderFromJwtSigner(options.signer),
-    typ: "keyattestation+jwt"
-  });
-  const payload = parseWithErrorHandling3(zKeyAttestationJwtPayloadForUse(options.use), {
-    iat: dateToSeconds(options.issuedAt),
-    exp: options.expiresAt ? dateToSeconds(options.expiresAt) : void 0,
-    nonce: options.nonce,
-    attested_keys: options.attestedKeys,
-    user_authentication: options.userAuthentication,
-    key_storage: options.keyStorage,
-    certification: options.certification,
-    ...options.additionalPayload
-  });
-  const { jwt } = await options.callbacks.signJwt(options.signer, { header, payload });
-  return jwt;
-}
-async function verifyKeyAttestationJwt(options) {
-  const { header, payload } = decodeJwt({
-    jwt: options.keyAttestationJwt,
-    headerSchema: zKeyAttestationJwtHeader,
-    payloadSchema: zKeyAttestationJwtPayloadForUse(options.use)
-  });
-  const now = options.now?.getTime() ?? Date.now();
-  if (options.nonceExpiresAt && now > options.nonceExpiresAt.getTime()) {
-    throw new Openid4vciError("Nonce used for key attestation jwt expired");
-  }
-  const { signer } = await verifyJwt({
-    compact: options.keyAttestationJwt,
-    header,
-    payload,
-    signer: jwtSignerFromJwt({ header, payload }),
-    verifyJwtCallback: options.callbacks.verifyJwt,
-    errorMessage: "Error verifiying key attestation jwt",
-    expectedNonce: options.expectedNonce,
-    now: options.now
-  });
-  return {
-    header,
-    payload,
-    signer
-  };
-}
-
-// src/formats/proof-type/jwt/jwt-proof-type.ts
 async function createCredentialRequestJwtProof(options) {
   const header = parseWithErrorHandling4(zCredentialRequestJwtProofTypeHeader, {
     ...jwtHeaderFromJwtSigner2(options.signer),
@@ -2325,10 +2329,14 @@ export {
   Openid4vciRetrieveCredentialsError,
   Openid4vciSendNotificationError,
   Openid4vciWalletProvider,
+  createKeyAttestationJwt,
   credentialsSupportedToCredentialConfigurationsSupported,
+  determineAuthorizationServerForCredentialOffer,
   extractScopesForCredentialConfigurationIds,
   getCredentialConfigurationsMatchingRequestFormat,
   getGlobalConfig,
-  setGlobalConfig
+  parseKeyAttestationJwt,
+  setGlobalConfig,
+  verifyKeyAttestationJwt
 };
 //# sourceMappingURL=index.mjs.map