@openid4vc/openid4vci 0.3.0-alpha-20250714110838 → 0.3.0-alpha-20250811083900

package/dist/index.mjs

@@ -20,6 +20,7 @@ import {
 
 // src/version.ts
 var Openid4vciDraftVersion = /* @__PURE__ */ ((Openid4vciDraftVersion2) => {
+  Openid4vciDraftVersion2["Draft16"] = "Draft16";
   Openid4vciDraftVersion2["Draft15"] = "Draft15";
   Openid4vciDraftVersion2["Draft14"] = "Draft14";
   Openid4vciDraftVersion2["Draft11"] = "Draft11";
@@ -110,7 +111,7 @@ async function resolveCredentialOffer(credentialOffer, options) {
     );
     if (!response.ok || !result) {
       throw new InvalidFetchResponseError(
-        `Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccesfull response with status '${response.status}'`,
+        `Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccessful response with status '${response.status}'`,
         await response.clone().text(),
         response
       );
@@ -242,7 +243,7 @@ import { zHttpsUrl as zHttpsUrl2 } from "@openid4vc/utils";
 import z12 from "zod";
 
 // src/formats/credential/mso-mdoc/z-mso-mdoc.ts
-import z3 from "zod";
+import z5 from "zod";
 
 // src/metadata/credential-issuer/z-claims-description.ts
 import z2 from "zod";
@@ -272,98 +273,196 @@ var zMsoMdocIssuerMetadataClaimsDescription = zIssuerMetadataClaimsDescription.e
   path: zMsoMdocClaimsDescriptionPath
 });
 
+// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
+import z4 from "zod";
+
+// src/key-attestation/z-key-attestation.ts
+import { zJwk, zJwtHeader, zJwtPayload } from "@openid4vc/oauth2";
+import { zInteger } from "@openid4vc/utils";
+import z3 from "zod";
+var zKeyAttestationJwtHeader = z3.object({
+  ...zJwtHeader.shape,
+  typ: z3.literal("keyattestation+jwt").or(
+    // Draft 16
+    z3.literal("key-attestation+jwt")
+  )
+}).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
+  message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
+}).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
+  message: `When 'trust_chain' is provided, 'kid' is required`
+});
+var zIso18045 = z3.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
+var zIso18045OrStringArray = z3.array(z3.union([zIso18045, z3.string()]));
+var zKeyAttestationJwtPayload = z3.object({
+  ...zJwtPayload.shape,
+  iat: zInteger,
+  attested_keys: z3.array(zJwk),
+  key_storage: z3.optional(zIso18045OrStringArray),
+  user_authentication: z3.optional(zIso18045OrStringArray),
+  certification: z3.optional(z3.string().url())
+}).passthrough();
+var zKeyAttestationJwtPayloadForUse = (use) => z3.object({
+  ...zKeyAttestationJwtPayload.shape,
+  // REQUIRED when used as proof_type.attesation directly
+  nonce: use === "proof_type.attestation" ? z3.string({
+    message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly`
+  }) : z3.optional(z3.string()),
+  // REQUIRED when used within header of proof_type.jwt
+  exp: use === "proof_type.jwt" ? zInteger : z3.optional(zInteger)
+}).passthrough();
+
+// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
+var zCredentialConfigurationSupportedCommonCredentialMetadata = z4.object({
+  display: z4.array(
+    z4.object({
+      name: z4.string(),
+      locale: z4.string().optional(),
+      logo: z4.object({
+        // FIXME: make required again, but need to support draft 11 first
+        uri: z4.string().optional(),
+        alt_text: z4.string().optional()
+      }).passthrough().optional(),
+      description: z4.string().optional(),
+      background_color: z4.string().optional(),
+      background_image: z4.object({
+        // TODO: should be required, but paradym's metadata is wrong here.
+        uri: z4.string().optional()
+      }).passthrough().optional(),
+      text_color: z4.string().optional()
+    }).passthrough()
+  ).optional()
+});
+var zCredentialConfigurationSupportedCommon = z4.object({
+  format: z4.string(),
+  scope: z4.string().optional(),
+  cryptographic_binding_methods_supported: z4.array(z4.string()).optional(),
+  credential_signing_alg_values_supported: z4.array(z4.string()).or(z4.array(z4.number())).optional(),
+  proof_types_supported: z4.record(
+    z4.union([z4.literal("jwt"), z4.literal("attestation"), z4.string()]),
+    z4.object({
+      proof_signing_alg_values_supported: z4.array(z4.string()),
+      key_attestations_required: z4.object({
+        key_storage: zIso18045OrStringArray.optional(),
+        user_authentication: zIso18045OrStringArray.optional()
+      }).passthrough().optional()
+    })
+  ).optional(),
+  credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.optional()
+}).passthrough();
+
 // src/formats/credential/mso-mdoc/z-mso-mdoc.ts
-var zMsoMdocFormatIdentifier = z3.literal("mso_mdoc");
-var zMsoMdocCredentialIssuerMetadata = z3.object({
+var zMsoMdocFormatIdentifier = z5.literal("mso_mdoc");
+var zMsoMdocCredentialIssuerMetadata = z5.object({
+  format: zMsoMdocFormatIdentifier,
+  doctype: z5.string(),
+  credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({
+    claims: z5.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
+  }).optional()
+});
+var zMsoMdocCredentialIssuerMetadataDraft15 = z5.object({
   format: zMsoMdocFormatIdentifier,
-  doctype: z3.string(),
-  claims: z3.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
+  doctype: z5.string(),
+  claims: z5.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
 });
-var zMsoMdocCredentialIssuerMetadataDraft14 = z3.object({
+var zMsoMdocCredentialIssuerMetadataDraft14 = z5.object({
   format: zMsoMdocFormatIdentifier,
-  doctype: z3.string(),
+  doctype: z5.string(),
   claims: zCredentialConfigurationSupportedClaimsDraft14.optional(),
-  order: z3.optional(z3.array(z3.string()))
+  order: z5.optional(z5.array(z5.string()))
 });
-var zMsoMdocCredentialRequestFormatDraft14 = z3.object({
+var zMsoMdocCredentialRequestFormatDraft14 = z5.object({
   format: zMsoMdocFormatIdentifier,
-  doctype: z3.string(),
+  doctype: z5.string(),
   // Format based request is removed in Draft 15, so only old claims syntax supported.
-  claims: z3.optional(zCredentialConfigurationSupportedClaimsDraft14)
+  claims: z5.optional(zCredentialConfigurationSupportedClaimsDraft14)
 });
 
 // src/formats/credential/sd-jwt-vc/z-sd-jwt-vc.ts
-import z4 from "zod";
-var zSdJwtVcFormatIdentifier = z4.literal("vc+sd-jwt");
-var zSdJwtVcCredentialIssuerMetadataDraft14 = z4.object({
-  vct: z4.string(),
+import z6 from "zod";
+var zSdJwtVcFormatIdentifier = z6.literal("vc+sd-jwt");
+var zSdJwtVcCredentialIssuerMetadataDraft14 = z6.object({
+  vct: z6.string(),
   format: zSdJwtVcFormatIdentifier,
-  claims: z4.optional(zCredentialConfigurationSupportedClaimsDraft14),
-  order: z4.optional(z4.array(z4.string()))
+  claims: z6.optional(zCredentialConfigurationSupportedClaimsDraft14),
+  order: z6.optional(z6.array(z6.string()))
 });
-var zSdJwtVcCredentialRequestFormatDraft14 = z4.object({
+var zSdJwtVcCredentialRequestFormatDraft14 = z6.object({
   format: zSdJwtVcFormatIdentifier,
-  vct: z4.string(),
-  claims: z4.optional(zCredentialConfigurationSupportedClaimsDraft14)
+  vct: z6.string(),
+  claims: z6.optional(zCredentialConfigurationSupportedClaimsDraft14)
 });
 
 // src/formats/credential/sd-jwt-dc/z-sd-jwt-dc.ts
-import z5 from "zod";
-var zSdJwtDcFormatIdentifier = z5.literal("dc+sd-jwt");
-var zSdJwtDcCredentialIssuerMetadata = z5.object({
-  vct: z5.string(),
+import z7 from "zod";
+var zSdJwtDcFormatIdentifier = z7.literal("dc+sd-jwt");
+var zSdJwtDcCredentialIssuerMetadata = z7.object({
+  vct: z7.string(),
   format: zSdJwtDcFormatIdentifier,
-  claims: z5.array(zIssuerMetadataClaimsDescription).optional()
+  credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({
+    claims: z7.array(zIssuerMetadataClaimsDescription).optional()
+  }).optional()
+});
+var zSdJwtDcCredentialIssuerMetadataDraft15 = z7.object({
+  vct: z7.string(),
+  format: zSdJwtDcFormatIdentifier,
+  claims: z7.array(zIssuerMetadataClaimsDescription).optional()
 });
 
 // src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
-import z7 from "zod";
+import z9 from "zod";
 
 // src/formats/credential/w3c-vc/z-w3c-vc-common.ts
-import z6 from "zod";
-var zCredentialSubjectLeafTypeDraft14 = z6.object({
-  mandatory: z6.boolean().optional(),
-  value_type: z6.string().optional(),
-  display: z6.array(
-    z6.object({
-      name: z6.string().optional(),
-      locale: z6.string().optional()
+import z8 from "zod";
+var zCredentialSubjectLeafTypeDraft14 = z8.object({
+  mandatory: z8.boolean().optional(),
+  value_type: z8.string().optional(),
+  display: z8.array(
+    z8.object({
+      name: z8.string().optional(),
+      locale: z8.string().optional()
     }).passthrough()
   ).optional()
 }).passthrough();
-var zClaimValueSchemaDraft14 = z6.union([
-  z6.array(z6.any()),
-  z6.record(z6.string(), z6.any()),
+var zClaimValueSchemaDraft14 = z8.union([
+  z8.array(z8.any()),
+  z8.record(z8.string(), z8.any()),
   zCredentialSubjectLeafTypeDraft14
 ]);
-var zW3cVcCredentialSubjectDraft14 = z6.record(z6.string(), zClaimValueSchemaDraft14);
-var zW3cVcJsonLdCredentialDefinition = z6.object({
-  "@context": z6.array(z6.string()),
-  type: z6.array(z6.string())
+var zW3cVcCredentialSubjectDraft14 = z8.record(z8.string(), zClaimValueSchemaDraft14);
+var zW3cVcJsonLdCredentialDefinition = z8.object({
+  "@context": z8.array(z8.string()),
+  type: z8.array(z8.string())
 }).passthrough();
 var zW3cVcJsonLdCredentialDefinitionDraft14 = zW3cVcJsonLdCredentialDefinition.extend({
   credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 });
 
 // src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
-var zLdpVcFormatIdentifier = z7.literal("ldp_vc");
-var zLdpVcCredentialIssuerMetadata = z7.object({
+var zLdpVcFormatIdentifier = z9.literal("ldp_vc");
+var zLdpVcCredentialIssuerMetadata = z9.object({
+  format: zLdpVcFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinition,
+  credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({
+    claims: zIssuerMetadataClaimsDescription.optional()
+  }).optional()
+});
+var zLdpVcCredentialIssuerMetadataDraft15 = z9.object({
   format: zLdpVcFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition,
   claims: zIssuerMetadataClaimsDescription.optional()
 });
-var zLdpVcCredentialIssuerMetadataDraft14 = z7.object({
+var zLdpVcCredentialIssuerMetadataDraft14 = z9.object({
   format: zLdpVcFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
-  order: z7.array(z7.string()).optional()
+  order: z9.array(z9.string()).optional()
 });
-var zLdpVcCredentialIssuerMetadataDraft11 = z7.object({
-  order: z7.array(z7.string()).optional(),
+var zLdpVcCredentialIssuerMetadataDraft11 = z9.object({
+  order: z9.array(z9.string()).optional(),
   format: zLdpVcFormatIdentifier,
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
-  "@context": z7.array(z7.string()),
-  types: z7.array(z7.string()),
+  "@context": z9.array(z9.string()),
+  types: z9.array(z9.string()),
   credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDraft11.transform(
@@ -382,16 +481,16 @@ var zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadataDr
   ...credentialDefinition,
   types: type
 })).pipe(zLdpVcCredentialIssuerMetadataDraft11);
-var zLdpVcCredentialRequestFormatDraft14 = z7.object({
+var zLdpVcCredentialRequestFormatDraft14 = z9.object({
   format: zLdpVcFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14
 });
-var zLdpVcCredentialRequestDraft11 = z7.object({
+var zLdpVcCredentialRequestDraft11 = z9.object({
   format: zLdpVcFormatIdentifier,
-  credential_definition: z7.object({
-    "@context": z7.array(z7.string()),
+  credential_definition: z9.object({
+    "@context": z9.array(z9.string()),
     // credential_definition was using types instead of type in v11
-    types: z7.array(z7.string()),
+    types: z9.array(z9.string()),
     credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
   })
 }).passthrough();
@@ -413,25 +512,32 @@ var zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormatDraft14.pa
 })).pipe(zLdpVcCredentialRequestDraft11);
 
 // src/formats/credential/w3c-vc/z-w3c-jwt-vc-json-ld.ts
-import z8 from "zod";
-var zJwtVcJsonLdFormatIdentifier = z8.literal("jwt_vc_json-ld");
-var zJwtVcJsonLdCredentialIssuerMetadata = z8.object({
+import z10 from "zod";
+var zJwtVcJsonLdFormatIdentifier = z10.literal("jwt_vc_json-ld");
+var zJwtVcJsonLdCredentialIssuerMetadata = z10.object({
+  format: zJwtVcJsonLdFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinition,
+  credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({
+    claims: zIssuerMetadataClaimsDescription.optional()
+  }).optional()
+});
+var zJwtVcJsonLdCredentialIssuerMetadataDraft15 = z10.object({
   format: zJwtVcJsonLdFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition,
   claims: zIssuerMetadataClaimsDescription.optional()
 });
-var zJwtVcJsonLdCredentialIssuerMetadataDraft14 = z8.object({
+var zJwtVcJsonLdCredentialIssuerMetadataDraft14 = z10.object({
   format: zJwtVcJsonLdFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
-  order: z8.optional(z8.array(z8.string()))
+  order: z10.optional(z10.array(z10.string()))
 });
-var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = z8.object({
-  order: z8.array(z8.string()).optional(),
+var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = z10.object({
+  order: z10.array(z10.string()).optional(),
   format: zJwtVcJsonLdFormatIdentifier,
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
-  "@context": z8.array(z8.string()),
-  types: z8.array(z8.string()),
+  "@context": z10.array(z10.string()),
+  types: z10.array(z10.string()),
   credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssuerMetadataDraft11.transform(
@@ -450,17 +556,17 @@ var zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssu
   ...credentialDefinition,
   types: type
 })).pipe(zJwtVcJsonLdCredentialIssuerMetadataDraft11);
-var zJwtVcJsonLdCredentialRequestFormatDraft14 = z8.object({
+var zJwtVcJsonLdCredentialRequestFormatDraft14 = z10.object({
   format: zJwtVcJsonLdFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition
 });
-var zJwtVcJsonLdCredentialRequestDraft11 = z8.object({
+var zJwtVcJsonLdCredentialRequestDraft11 = z10.object({
   format: zJwtVcJsonLdFormatIdentifier,
-  credential_definition: z8.object({
-    "@context": z8.array(z8.string()),
+  credential_definition: z10.object({
+    "@context": z10.array(z10.string()),
     // credential_definition was using types instead of type in v11
-    types: z8.array(z8.string()),
-    credentialSubject: z8.optional(zW3cVcCredentialSubjectDraft14)
+    types: z10.array(z10.string()),
+    credentialSubject: z10.optional(zW3cVcCredentialSubjectDraft14)
   }).passthrough()
 }).passthrough();
 var zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraft11.transform(
@@ -481,30 +587,37 @@ var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestForm
 })).pipe(zJwtVcJsonLdCredentialRequestDraft11);
 
 // src/formats/credential/w3c-vc/z-w3c-jwt-vc-json.ts
-import z9 from "zod";
-var zJwtVcJsonFormatIdentifier = z9.literal("jwt_vc_json");
-var zJwtVcJsonCredentialDefinition = z9.object({
-  type: z9.array(z9.string())
+import z11 from "zod";
+var zJwtVcJsonFormatIdentifier = z11.literal("jwt_vc_json");
+var zJwtVcJsonCredentialDefinition = z11.object({
+  type: z11.array(z11.string())
 }).passthrough();
 var zJwtVcJsonCredentialDefinitionDraft14 = zJwtVcJsonCredentialDefinition.extend({
   credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 });
-var zJwtVcJsonCredentialIssuerMetadata = z9.object({
+var zJwtVcJsonCredentialIssuerMetadata = z11.object({
+  format: zJwtVcJsonFormatIdentifier,
+  credential_definition: zJwtVcJsonCredentialDefinition,
+  credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({
+    claims: zIssuerMetadataClaimsDescription.optional()
+  }).optional()
+});
+var zJwtVcJsonCredentialIssuerMetadataDraft15 = z11.object({
   format: zJwtVcJsonFormatIdentifier,
   credential_definition: zJwtVcJsonCredentialDefinition,
   claims: zIssuerMetadataClaimsDescription.optional()
 });
-var zJwtVcJsonCredentialIssuerMetadataDraft14 = z9.object({
+var zJwtVcJsonCredentialIssuerMetadataDraft14 = z11.object({
   format: zJwtVcJsonFormatIdentifier,
   credential_definition: zJwtVcJsonCredentialDefinitionDraft14,
-  order: z9.array(z9.string()).optional()
+  order: z11.array(z11.string()).optional()
 });
-var zJwtVcJsonCredentialIssuerMetadataDraft11 = z9.object({
+var zJwtVcJsonCredentialIssuerMetadataDraft11 = z11.object({
   format: zJwtVcJsonFormatIdentifier,
-  order: z9.array(z9.string()).optional(),
+  order: z11.array(z11.string()).optional(),
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
-  types: z9.array(z9.string()),
+  types: z11.array(z11.string()),
   credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMetadataDraft11.transform(
@@ -522,16 +635,16 @@ var zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMe
   types: type,
   ...credentialDefinition
 })).pipe(zJwtVcJsonCredentialIssuerMetadataDraft11);
-var zJwtVcJsonCredentialRequestFormatDraft14 = z9.object({
+var zJwtVcJsonCredentialRequestFormatDraft14 = z11.object({
   format: zJwtVcJsonFormatIdentifier,
   credential_definition: zJwtVcJsonCredentialDefinition
 });
-var zJwtVcJsonCredentialRequestDraft11 = z9.object({
+var zJwtVcJsonCredentialRequestDraft11 = z11.object({
   format: zJwtVcJsonFormatIdentifier,
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
-  types: z9.array(z9.string()),
-  credentialSubject: z9.optional(zW3cVcCredentialSubjectDraft14)
+  types: z11.array(z11.string()),
+  credentialSubject: z11.optional(zW3cVcCredentialSubjectDraft14)
 }).passthrough();
 var zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.transform(
   ({ types, credentialSubject, ...rest }) => {
@@ -551,80 +664,6 @@ var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormatDr
   ...credentialDefinition
 })).pipe(zJwtVcJsonCredentialRequestDraft11);
 
-// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
-import z11 from "zod";
-
-// src/key-attestation/z-key-attestation.ts
-import { zJwk, zJwtHeader, zJwtPayload } from "@openid4vc/oauth2";
-import { zInteger } from "@openid4vc/utils";
-import z10 from "zod";
-var zKeyAttestationJwtHeader = z10.object({
-  ...zJwtHeader.shape,
-  typ: z10.literal("keyattestation+jwt").or(
-    // Draft 16
-    z10.literal("key-attestation+jwt")
-  )
-}).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
-  message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
-}).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
-  message: `When 'trust_chain' is provided, 'kid' is required`
-});
-var zIso18045 = z10.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
-var zIso18045OrStringArray = z10.array(z10.union([zIso18045, z10.string()]));
-var zKeyAttestationJwtPayload = z10.object({
-  ...zJwtPayload.shape,
-  iat: zInteger,
-  attested_keys: z10.array(zJwk),
-  key_storage: z10.optional(zIso18045OrStringArray),
-  user_authentication: z10.optional(zIso18045OrStringArray),
-  certification: z10.optional(z10.string().url())
-}).passthrough();
-var zKeyAttestationJwtPayloadForUse = (use) => z10.object({
-  ...zKeyAttestationJwtPayload.shape,
-  // REQUIRED when used as proof_type.attesation directly
-  nonce: use === "proof_type.attestation" ? z10.string({
-    message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly`
-  }) : z10.optional(z10.string()),
-  // REQUIRED when used within header of proof_type.jwt
-  exp: use === "proof_type.jwt" ? zInteger : z10.optional(zInteger)
-}).passthrough();
-
-// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
-var zCredentialConfigurationSupportedCommon = z11.object({
-  format: z11.string(),
-  scope: z11.string().optional(),
-  cryptographic_binding_methods_supported: z11.array(z11.string()).optional(),
-  credential_signing_alg_values_supported: z11.array(z11.string()).optional(),
-  proof_types_supported: z11.record(
-    z11.union([z11.literal("jwt"), z11.literal("attestation"), z11.string()]),
-    z11.object({
-      proof_signing_alg_values_supported: z11.array(z11.string()),
-      key_attestations_required: z11.object({
-        key_storage: zIso18045OrStringArray.optional(),
-        user_authentication: zIso18045OrStringArray.optional()
-      }).passthrough().optional()
-    })
-  ).optional(),
-  display: z11.array(
-    z11.object({
-      name: z11.string(),
-      locale: z11.string().optional(),
-      logo: z11.object({
-        // FIXME: make required again, but need to support draft 11 first
-        uri: z11.string().optional(),
-        alt_text: z11.string().optional()
-      }).passthrough().optional(),
-      description: z11.string().optional(),
-      background_color: z11.string().optional(),
-      background_image: z11.object({
-        // TODO: should be required, but paradym's metadata is wrong here.
-        uri: z11.string().optional()
-      }).passthrough().optional(),
-      text_color: z11.string().optional()
-    }).passthrough()
-  ).optional()
-}).passthrough();
-
 // src/metadata/credential-issuer/z-credential-issuer-metadata.ts
 var allCredentialIssuerMetadataFormats = [
   zSdJwtDcCredentialIssuerMetadata,
@@ -632,6 +671,11 @@ var allCredentialIssuerMetadataFormats = [
   zJwtVcJsonLdCredentialIssuerMetadata,
   zLdpVcCredentialIssuerMetadata,
   zJwtVcJsonCredentialIssuerMetadata,
+  zSdJwtDcCredentialIssuerMetadataDraft15,
+  zMsoMdocCredentialIssuerMetadataDraft15,
+  zJwtVcJsonLdCredentialIssuerMetadataDraft15,
+  zLdpVcCredentialIssuerMetadataDraft15,
+  zJwtVcJsonCredentialIssuerMetadataDraft15,
   zMsoMdocCredentialIssuerMetadataDraft14,
   zSdJwtVcCredentialIssuerMetadataDraft14,
   zJwtVcJsonLdCredentialIssuerMetadataDraft14,
@@ -676,7 +720,7 @@ var zCredentialIssuerMetadataDisplayEntry = z12.object({
     alt_text: z12.string().optional()
   }).passthrough().optional()
 }).passthrough();
-var zCredentialIssuerMetadataDraft14Draft15 = z12.object({
+var zCredentialIssuerMetadataDraft14Draft15Draft16 = z12.object({
   credential_issuer: zHttpsUrl2,
   authorization_servers: z12.array(zHttpsUrl2).optional(),
   credential_endpoint: zHttpsUrl2,
@@ -749,7 +793,13 @@ var zCredentialConfigurationSupportedDraft11To14 = z12.object({
   }
   return z12.NEVER;
 }).pipe(zCredentialConfigurationSupportedWithFormats);
-var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSupportedWithFormats.and(
+var zCredentialConfigurationSupportedDraft16To15 = zCredentialConfigurationSupportedWithFormats.transform(
+  ({ credential_metadata, ...rest }) => ({
+    ...credential_metadata,
+    ...rest
+  })
+);
+var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSupportedDraft16To15.and(
   z12.object({
     id: z12.string()
   }).passthrough()
@@ -776,7 +826,7 @@ var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSuppo
     zJwtVcJsonCredentialIssuerMetadataDraft14To11,
     zJwtVcJsonLdCredentialIssuerMetadataDraft14To11,
     // To handle unrecognized formats and not error immediately we allow the common format as well
-    // but they can't use any of the foramt identifiers that have a specific transformation. This way if a format is
+    // but they can't use any of the format identifiers that have a specific transformation. This way if a format is
     // has a transformation it NEEDS to use the format specific transformation, and otherwise we fall back to the common validation
     z12.object({
       format: z12.string().refine(
@@ -789,7 +839,7 @@ var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSuppo
     }).passthrough()
   ])
 );
-var zCredentialIssuerMetadataDraft11To14 = z12.object({
+var zCredentialIssuerMetadataDraft11To16 = z12.object({
   authorization_server: z12.string().optional(),
   credentials_supported: z12.array(
     z12.object({
@@ -807,11 +857,11 @@ var zCredentialIssuerMetadataDraft11To14 = z12.object({
   };
 }).pipe(
   z12.object({
-    // Update from v11 structrue to v14 structure
+    // Update from v11 structure to v14 structure
     credential_configurations_supported: z12.record(z12.string(), zCredentialConfigurationSupportedDraft11To14)
   }).passthrough()
-).pipe(zCredentialIssuerMetadataDraft14Draft15);
-var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15.transform((issuerMetadata) => ({
+).pipe(zCredentialIssuerMetadataDraft14Draft15Draft16);
+var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15Draft16.transform((issuerMetadata) => ({
   ...issuerMetadata,
   ...issuerMetadata.authorization_servers ? { authorization_server: issuerMetadata.authorization_servers[0] } : {},
   credentials_supported: Object.entries(issuerMetadata.credential_configurations_supported).map(([id, value]) => ({
@@ -819,37 +869,39 @@ var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft
     id
   }))
 })).pipe(
-  zCredentialIssuerMetadataDraft14Draft15.extend({
+  zCredentialIssuerMetadataDraft14Draft15Draft16.extend({
     credentials_supported: z12.array(zCredentialConfigurationSupportedDraft14To11)
   })
 );
 var zCredentialIssuerMetadata = z12.union([
-  // First prioritize draft 15/14 (and 13)
-  zCredentialIssuerMetadataDraft14Draft15,
-  // Then try parsing draft 11 and transform into draft 14
-  zCredentialIssuerMetadataDraft11To14
+  // First prioritize draft 16/15/14 (and 13)
+  zCredentialIssuerMetadataDraft14Draft15Draft16,
+  // Then try parsing draft 11 and transform into draft 16
+  zCredentialIssuerMetadataDraft11To16
 ]);
 var zCredentialIssuerMetadataWithDraftVersion = z12.union([
-  zCredentialIssuerMetadataDraft14Draft15.transform((credentialIssuerMetadata) => {
-    const isDraft15 = Object.values(credentialIssuerMetadata.credential_configurations_supported).some(
-      (configuration) => {
-        const knownConfiguration = configuration;
-        if (knownConfiguration.format === zSdJwtDcFormatIdentifier.value) return true;
-        if (Array.isArray(knownConfiguration.claims)) return true;
-        if (Object.values(knownConfiguration.proof_types_supported ?? {}).some(
-          (proofType) => proofType.key_attestations_required !== void 0
-        ))
-          return true;
-        return false;
-      }
-    );
+  zCredentialIssuerMetadataDraft14Draft15Draft16.transform((credentialIssuerMetadata) => {
+    const credentialConfigurations = Object.values(credentialIssuerMetadata.credential_configurations_supported);
+    const isDraft15 = credentialConfigurations.some((configuration) => {
+      const knownConfiguration = configuration;
+      if (knownConfiguration.format === zSdJwtDcFormatIdentifier.value) return true;
+      if (Array.isArray(knownConfiguration.claims)) return true;
+      if (Object.values(knownConfiguration.proof_types_supported ?? {}).some(
+        (proofType) => proofType.key_attestations_required !== void 0
+      ))
+        return true;
+      return false;
+    });
+    const isDraft16 = credentialConfigurations.some((configuration) => {
+      return configuration.credential_metadata;
+    });
     return {
       credentialIssuerMetadata,
-      originalDraftVersion: isDraft15 ? "Draft15" /* Draft15 */ : "Draft14" /* Draft14 */
+      originalDraftVersion: isDraft16 ? "Draft16" /* Draft16 */ : isDraft15 ? "Draft15" /* Draft15 */ : "Draft14" /* Draft14 */
     };
   }),
   // Then try parsing draft 11 and transform into draft 14
-  zCredentialIssuerMetadataDraft11To14.transform((credentialIssuerMetadata) => ({
+  zCredentialIssuerMetadataDraft11To16.transform((credentialIssuerMetadata) => ({
     credentialIssuerMetadata,
     originalDraftVersion: "Draft11" /* Draft11 */
   }))
@@ -1110,6 +1162,7 @@ import {
 import { ContentType as ContentType2, isResponseContentType, parseWithErrorHandling as parseWithErrorHandling3 } from "@openid4vc/utils";
 
 // src/credential-request/z-credential-request.ts
+import { zJwk as zJwk3 } from "@openid4vc/oauth2";
 import z16 from "zod";
 
 // src/credential-request/z-credential-request-common.ts
@@ -1210,7 +1263,7 @@ var zCredentialRequestFormat = z16.object({
   credential_identifier: z16.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional(),
   credential_configuration_id: z16.never({ message: "'credential_configuration_id' cannot be defined when 'format' is set." }).optional()
 }).passthrough();
-var zCredenialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
+var zCredentialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
   if (!allCredentialRequestFormatIdentifiers.includes(
     data.format
   ))
@@ -1229,7 +1282,7 @@ var zCredentialRequestDraft15 = z16.union([
   zCredentialRequestCommon.and(zCredentialRequestCredentialConfigurationId)
 ]);
 var zCredentialRequestDraft14 = z16.union([
-  zCredenialRequestDraft14WithFormat,
+  zCredentialRequestDraft14WithFormat,
   zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest)
 ]);
 var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
@@ -1270,6 +1323,14 @@ var zCredentialRequest = z16.union([
   zCredentialRequestDraft14,
   zCredentialRequestDraft11To14
 ]);
+var zDeferredCredentialRequest = z16.object({
+  transaction_id: z16.string().nonempty(),
+  credential_response_encryption: z16.object({
+    jwk: zJwk3,
+    alg: z16.string(),
+    enc: z16.string()
+  }).passthrough().optional()
+});
 
 // src/credential-request/z-credential-response.ts
 import z18 from "zod";
@@ -1294,11 +1355,14 @@ var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes4) => {
   Oauth2ErrorCodes4["InsufficientAuthorization"] = "insufficient_authorization";
   Oauth2ErrorCodes4["InvalidCredentialRequest"] = "invalid_credential_request";
   Oauth2ErrorCodes4["CredentialRequestDenied"] = "credential_request_denied";
-  Oauth2ErrorCodes4["UnsupportedCredentialType"] = "unsupported_credential_type";
-  Oauth2ErrorCodes4["UnsupportedCredentialFormat"] = "unsupported_credential_format";
   Oauth2ErrorCodes4["InvalidProof"] = "invalid_proof";
   Oauth2ErrorCodes4["InvalidNonce"] = "invalid_nonce";
   Oauth2ErrorCodes4["InvalidEncryptionParameters"] = "invalid_encryption_parameters";
+  Oauth2ErrorCodes4["UnknownCredentialConfiguration"] = "unknown_credential_configuration";
+  Oauth2ErrorCodes4["UnknownCredentialIdentifier"] = "unknown_credential_identifier";
+  Oauth2ErrorCodes4["InvalidTransactionId"] = "invalid_transaction_id";
+  Oauth2ErrorCodes4["UnsupportedCredentialType"] = "unsupported_credential_type";
+  Oauth2ErrorCodes4["UnsupportedCredentialFormat"] = "unsupported_credential_format";
   Oauth2ErrorCodes4["InvalidRequestUri"] = "invalid_request_uri";
   Oauth2ErrorCodes4["InvalidRequestObject"] = "invalid_request_object";
   Oauth2ErrorCodes4["RequestNotSupported"] = "request_not_supported";
@@ -1320,33 +1384,57 @@ var zOauth2ErrorResponse = z17.object({
 
 // src/credential-request/z-credential-response.ts
 var zCredentialEncoding = z18.union([z18.string(), z18.record(z18.string(), z18.any())]);
-var zCredentialResponse = z18.object({
-  credential: z18.optional(zCredentialEncoding),
+var zBaseCredentialResponse = z18.object({
   credentials: z18.optional(z18.array(zCredentialEncoding)),
+  interval: z18.number().int().positive().optional(),
+  notification_id: z18.string().optional()
+}).passthrough();
+var zCredentialResponse = zBaseCredentialResponse.extend({
+  credential: z18.optional(zCredentialEncoding),
   transaction_id: z18.string().optional(),
   c_nonce: z18.string().optional(),
-  c_nonce_expires_in: z18.number().int().optional(),
-  notification_id: z18.string().optional()
-}).passthrough().refine(
-  (value) => {
-    const { credential, credentials, transaction_id } = value;
-    return [credential, credentials, transaction_id].filter((i) => i !== void 0).length === 1;
-  },
-  {
-    message: `Exactly one of 'credential', 'credentials', or 'transaction_id' MUST be defined.`
+  c_nonce_expires_in: z18.number().int().optional()
+}).passthrough().superRefine((value, ctx) => {
+  const { credential, credentials, transaction_id, interval, notification_id } = value;
+  if ([credential, credentials, transaction_id].filter((i) => i !== void 0).length !== 1) {
+    ctx.addIssue({
+      code: z18.ZodIssueCode.custom,
+      message: `Exactly one of 'credential', 'credentials', or 'transaction_id' MUST be defined.`
+    });
   }
-);
+  if (transaction_id && !interval) {
+    ctx.addIssue({
+      code: z18.ZodIssueCode.custom,
+      message: `'interval' MUST be defined when 'transaction_id' is defined.`
+    });
+  }
+  if (notification_id && !(credentials || credential)) {
+    ctx.addIssue({
+      code: z18.ZodIssueCode.custom,
+      message: `'notification_id' MUST NOT be defined when 'credential' or 'credentials' are not defined.`
+    });
+  }
+});
 var zCredentialErrorResponse = z18.object({
   ...zOauth2ErrorResponse.shape,
   c_nonce: z18.string().optional(),
   c_nonce_expires_in: z18.number().int().optional()
 }).passthrough();
+var zDeferredCredentialResponse = zBaseCredentialResponse.refine(
+  (value) => {
+    const { credentials, interval } = value;
+    return [credentials, interval].filter((i) => i !== void 0).length === 1;
+  },
+  {
+    message: `Exactly one of 'credentials' or 'interval' MUST be defined.`
+  }
+);
 
 // src/credential-request/retrieve-credentials.ts
 async function retrieveCredentialsWithCredentialConfigurationId(options) {
-  if (options.issuerMetadata.originalDraftVersion !== "Draft15" /* Draft15 */) {
+  if (options.issuerMetadata.originalDraftVersion !== "Draft15" /* Draft15 */ && options.issuerMetadata.originalDraftVersion !== "Draft16" /* Draft16 */) {
     throw new Openid4vciError(
-      "Requesting credentials based on format is not supported in OpenID4VCI below draft 15. Make sure to provide the format and format specific claims in the request."
+      "Requesting credentials based on credential configuration ID is not supported in OpenID4VCI below draft 15. Make sure to provide the format and format specific claims in the request."
     );
   }
   getCredentialConfigurationSupportedById(
@@ -1368,7 +1456,7 @@ async function retrieveCredentialsWithCredentialConfigurationId(options) {
   });
 }
 async function retrieveCredentialsWithFormat(options) {
-  if (options.issuerMetadata.originalDraftVersion === "Draft15" /* Draft15 */) {
+  if (options.issuerMetadata.originalDraftVersion === "Draft15" /* Draft15 */ || options.issuerMetadata.originalDraftVersion === "Draft16" /* Draft16 */) {
     throw new Openid4vciError(
       "Requesting credentials based on format is not supported in OpenID4VCI draft 15. Provide the credential configuration id directly in the request."
     );
@@ -1448,6 +1536,54 @@ async function retrieveCredentials(options) {
     credentialResponse: credentialResponseResult.data
   };
 }
+async function retrieveDeferredCredentials(options) {
+  const credentialEndpoint = options.issuerMetadata.credentialIssuer.deferred_credential_endpoint;
+  if (!credentialEndpoint) {
+    throw new Openid4vciError(
+      `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' does not support deferred credential retrieval.`
+    );
+  }
+  const deferredCredentialRequest = parseWithErrorHandling3(
+    zDeferredCredentialRequest,
+    {
+      transaction_id: options.transactionId,
+      ...options.additionalRequestPayload
+    },
+    "Error validating deferred credential request"
+  );
+  const resourceResponse = await resourceRequest({
+    dpop: options.dpop,
+    accessToken: options.accessToken,
+    callbacks: options.callbacks,
+    url: credentialEndpoint,
+    requestOptions: {
+      method: "POST",
+      headers: {
+        "Content-Type": ContentType2.Json
+      },
+      body: JSON.stringify(deferredCredentialRequest)
+    }
+  });
+  if (!resourceResponse.ok) {
+    const deferredCredentialErrorResponseResult = isResponseContentType(ContentType2.Json, resourceResponse.response) ? zCredentialErrorResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
+    return {
+      ...resourceResponse,
+      deferredCredentialErrorResponseResult
+    };
+  }
+  const deferredCredentialResponseResult = isResponseContentType(ContentType2.Json, resourceResponse.response) ? zCredentialResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
+  if (!deferredCredentialResponseResult?.success) {
+    return {
+      ...resourceResponse,
+      ok: false,
+      deferredCredentialResponseResult
+    };
+  }
+  return {
+    ...resourceResponse,
+    deferredCredentialResponse: deferredCredentialResponseResult.data
+  };
+}
 
 // src/formats/proof-type/jwt/jwt-proof-type.ts
 import { decodeJwt as decodeJwt2, isJwkInSet, jwtHeaderFromJwtSigner as jwtHeaderFromJwtSigner2 } from "@openid4vc/oauth2";
@@ -1604,7 +1740,7 @@ async function requestNonce(options) {
   });
   if (!response.ok || !result) {
     throw new InvalidFetchResponseError2(
-      `Requesting nonce from '${nonceEndpoint}' resulted in an unsuccesfull response with status '${response.status}'`,
+      `Requesting nonce from '${nonceEndpoint}' resulted in an unsuccessful response with status '${response.status}'`,
       await response.clone().text(),
       response
     );
@@ -1642,7 +1778,7 @@ var zNotificationErrorResponse = z20.object({
 }).passthrough();
 
 // src/notification/notification.ts
-async function sendNotifcation(options) {
+async function sendNotification(options) {
   const notificationEndpoint = options.issuerMetadata.credentialIssuer.notification_endpoint;
   if (!notificationEndpoint) {
     throw new Oauth2Error6(
@@ -1717,7 +1853,7 @@ var Openid4vciClient = class {
    * Retrieve an authorization code for a presentation during issuance session
    *
    * This can only be called if an authorization challenge was performed before and returned a
-   * `presentation` paramater along with an `auth_session`. If the presentation response included
+   * `presentation` parameter along with an `auth_session`. If the presentation response included
    * an `presentation_during_issuance_session` parameter it MUST be included in this request as well.
    */
   async retrieveAuthorizationCodeUsingPresentation(options) {
@@ -1750,9 +1886,9 @@ var Openid4vciClient = class {
    *
    * In case the authorization challenge request returns an error with `insufficient_authorization`
    * with a `presentation` field it means the authorization server expects presentation of credentials
-   * before issuance of crednetials. If this is the case, the value in `presentation` should be treated
+   * before issuance of credentials. If this is the case, the value in `presentation` should be treated
    * as an openid4vp authorization request and submitted to the verifier. Once the presentation response
-   * has been submitted, the RP will respnosd with a `presentation_during_issuance_session` parameter.
+   * has been submitted, the RP will respond with a `presentation_during_issuance_session` parameter.
    * Together with the `auth_session` parameter returned in this call you can retrieve an `authorization_code`
    * using
    */
@@ -1926,7 +2062,7 @@ var Openid4vciClient = class {
    * Request a nonce to be used in credential request proofs from the `nonce_endpoint`
    *
    * @throws Openid4vciError - if no `nonce_endpoint` is configured in the issuer metadata
-   * @thrwos InvalidFetchResponseError - if the nonce endpoint did not return a succesfull response
+   * @throws InvalidFetchResponseError - if the nonce endpoint did not return a successful response
    * @throws ValidationError - if validating the nonce response failed
    */
   async requestNonce(options) {
@@ -1978,7 +2114,7 @@ var Openid4vciClient = class {
     };
   }
   /**
-   * @throws Openid4vciRetrieveCredentialsError - if an unsuccesfull response or the respnose couldn't be parsed as credential response
+   * @throws Openid4vciRetrieveCredentialsError - if an unsuccessful response or the response couldn't be parsed as credential response
    * @throws ValidationError - if validation of the credential request failed
    * @throws Openid4vciError - if the `credentialConfigurationId` couldn't be found, or if the the format specific request couldn't be constructed
    */
@@ -1992,7 +2128,7 @@ var Openid4vciClient = class {
     dpop
   }) {
     let credentialResponse;
-    if (issuerMetadata.originalDraftVersion === "Draft15" /* Draft15 */) {
+    if (issuerMetadata.originalDraftVersion === "Draft15" /* Draft15 */ || issuerMetadata.originalDraftVersion === "Draft16" /* Draft16 */) {
       credentialResponse = await retrieveCredentialsWithCredentialConfigurationId({
         accessToken,
         credentialConfigurationId,
@@ -2029,7 +2165,25 @@ var Openid4vciClient = class {
     return credentialResponse;
   }
   /**
-   * @throws Openid4vciSendNotificationError - if an unsuccesfull response
+   * @throws Openid4vciRetrieveCredentialsError - if an unsuccessful response or the response couldn't be parsed as credential response
+   * @throws ValidationError - if validation of the credential request failed
+   */
+  async retrieveDeferredCredentials(options) {
+    const credentialResponse = await retrieveDeferredCredentials({
+      ...options,
+      callbacks: this.options.callbacks
+    });
+    if (!credentialResponse.ok) {
+      throw new Openid4vciRetrieveCredentialsError(
+        `Error retrieving deferred credentials from '${options.issuerMetadata.credentialIssuer.credential_issuer}'`,
+        credentialResponse,
+        await credentialResponse.response.clone().text()
+      );
+    }
+    return credentialResponse;
+  }
+  /**
+   * @throws Openid4vciSendNotificationError - if an unsuccessful response
    * @throws ValidationError - if validation of the notification request failed
    */
   async sendNotification({
@@ -2039,7 +2193,7 @@ var Openid4vciClient = class {
     accessToken,
     dpop
   }) {
-    const notificationResponse = await sendNotifcation({
+    const notificationResponse = await sendNotification({
       accessToken,
       issuerMetadata,
       additionalRequestPayload,
@@ -2064,7 +2218,7 @@ import {
   Oauth2JwtVerificationError,
   Oauth2ServerErrorResponseError
 } from "@openid4vc/oauth2";
-import { ValidationError as ValidationError4, parseWithErrorHandling as parseWithErrorHandling10 } from "@openid4vc/utils";
+import { ValidationError as ValidationError4, parseWithErrorHandling as parseWithErrorHandling11 } from "@openid4vc/utils";
 
 // src/credential-request/credential-response.ts
 import { parseWithErrorHandling as parseWithErrorHandling8 } from "@openid4vc/utils";
@@ -2075,6 +2229,8 @@ function createCredentialResponse(options) {
     credential: options.credential,
     credentials: options.credentials,
     notification_id: options.notificationId,
+    transaction_id: options.transactionId,
+    interval: options.interval,
     // NOTE `format` is removed in draft 13. For now if a format was requested
     // we just always return it in the response as well.
     format: options.credentialRequest.format?.format,
@@ -2082,6 +2238,14 @@ function createCredentialResponse(options) {
   });
   return credentialResponse;
 }
+function createDeferredCredentialResponse(options) {
+  return parseWithErrorHandling8(zDeferredCredentialResponse, {
+    credentials: options.credentials,
+    notification_id: options.notificationId,
+    interval: options.interval,
+    ...options.additionalPayload
+  });
+}
 
 // src/credential-request/parse-credential-request.ts
 import { parseWithErrorHandling as parseWithErrorHandling9 } from "@openid4vc/utils";
@@ -2145,6 +2309,19 @@ function parseCredentialRequest(options) {
   };
 }
 
+// src/credential-request/parse-deferred-credential-request.ts
+import { parseWithErrorHandling as parseWithErrorHandling10 } from "@openid4vc/utils";
+function parseDeferredCredentialRequest(options) {
+  const deferredCredentialRequest = parseWithErrorHandling10(
+    zDeferredCredentialRequest,
+    options.deferredCredentialRequest,
+    "Error validating credential request"
+  );
+  return {
+    deferredCredentialRequest
+  };
+}
+
 // src/formats/proof-type/attestation/attestation-proof-type.ts
 async function verifyCredentialRequestAttestationProof(options) {
   const verificationResult = await verifyKeyAttestationJwt({
@@ -2160,7 +2337,7 @@ var Openid4vciIssuer = class {
     this.options = options;
   }
   getCredentialIssuerMetadataDraft11(credentialIssuerMetadata) {
-    return parseWithErrorHandling10(zCredentialIssuerMetadataWithDraft11, credentialIssuerMetadata);
+    return parseWithErrorHandling11(zCredentialIssuerMetadataWithDraft11, credentialIssuerMetadata);
   }
   getKnownCredentialConfigurationsSupported(credentialIssuerMetadata) {
     return extractKnownCredentialConfigurationSupportedFormats(
@@ -2171,7 +2348,7 @@ var Openid4vciIssuer = class {
    * Create issuer metadata and validates the structure is correct
    */
   createCredentialIssuerMetadata(credentialIssuerMetadata) {
-    return parseWithErrorHandling10(
+    return parseWithErrorHandling11(
       zCredentialIssuerMetadata,
       credentialIssuerMetadata,
       "Error validating credential issuer metadata"
@@ -2208,7 +2385,7 @@ var Openid4vciIssuer = class {
         {
           error: Oauth2ErrorCodes3.InvalidProof,
           error_description: (
-            // TOOD: error should have a internalErrorMessage and a publicErrorMessage
+            // TODO: error should have a internalErrorMessage and a publicErrorMessage
             error instanceof Oauth2JwtVerificationError || error instanceof Openid4vciError ? error.message : "Invalid proof"
           )
         },
@@ -2237,7 +2414,7 @@ var Openid4vciIssuer = class {
         {
           error: Oauth2ErrorCodes3.InvalidProof,
           error_description: (
-            // TOOD: error should have a internalErrorMessage and a publicErrorMessage
+            // TODO: error should have a internalErrorMessage and a publicErrorMessage
             error instanceof Oauth2JwtVerificationError || error instanceof Openid4vciError ? error.message : "Invalid proof"
           )
         },
@@ -2271,12 +2448,37 @@ var Openid4vciIssuer = class {
       );
     }
   }
+  /**
+   * @throws Oauth2ServerErrorResponseError - when validation of the deferred credential request fails
+   */
+  parseDeferredCredentialRequest(options) {
+    try {
+      return parseDeferredCredentialRequest(options);
+    } catch (error) {
+      throw new Oauth2ServerErrorResponseError(
+        {
+          error: Oauth2ErrorCodes3.InvalidCredentialRequest,
+          error_description: error instanceof ValidationError4 ? error.message : "Invalid request"
+        },
+        {
+          internalMessage: "Error parsing deferred credential request",
+          cause: error
+        }
+      );
+    }
+  }
   /**
    * @throws ValidationError - when validation of the credential response fails
    */
   createCredentialResponse(options) {
     return createCredentialResponse(options);
   }
+  /**
+   * @throws ValidationError - when validation of the credential response fails
+   */
+  createDeferredCredentialResponse(options) {
+    return createDeferredCredentialResponse(options);
+  }
   /**
    * @throws ValidationError - when validation of the nonce response fails
    */