npm - @openid4vc/openid4vci - Versions diffs - 0.3.0-alpha-20250811071720 → 0.3.0-alpha-20250811083900 - Mend

@openid4vc/openid4vci 0.3.0-alpha-20250811071720 → 0.3.0-alpha-20250811083900

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -43,9 +43,9 @@ __export(index_exports, {
   determineAuthorizationServerForCredentialOffer: () => determineAuthorizationServerForCredentialOffer,
   extractScopesForCredentialConfigurationIds: () => extractScopesForCredentialConfigurationIds,
   getCredentialConfigurationsMatchingRequestFormat: () => getCredentialConfigurationsMatchingRequestFormat,
-  getGlobalConfig: () => import_utils21.getGlobalConfig,
+  getGlobalConfig: () => import_utils22.getGlobalConfig,
   parseKeyAttestationJwt: () => parseKeyAttestationJwt,
-  setGlobalConfig: () => import_utils21.setGlobalConfig,
+  setGlobalConfig: () => import_utils22.setGlobalConfig,
   verifyKeyAttestationJwt: () => verifyKeyAttestationJwt
 });
 module.exports = __toCommonJS(index_exports);
@@ -56,6 +56,7 @@ var import_utils2 = require("@openid4vc/utils");
 // src/version.ts
 var Openid4vciDraftVersion = /* @__PURE__ */ ((Openid4vciDraftVersion2) => {
+  Openid4vciDraftVersion2["Draft16"] = "Draft16";
   Openid4vciDraftVersion2["Draft15"] = "Draft15";
   Openid4vciDraftVersion2["Draft14"] = "Draft14";
   Openid4vciDraftVersion2["Draft11"] = "Draft11";
@@ -144,7 +145,7 @@ async function resolveCredentialOffer(credentialOffer, options) {
     );
     if (!response.ok || !result) {
       throw new import_oauth22.InvalidFetchResponseError(
-        `Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccesfull response with status '${response.status}'`,
+        `Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccessful response with status '${response.status}'`,
         await response.clone().text(),
         response
       );
@@ -261,7 +262,7 @@ async function createCredentialOffer(options) {
 }
 // src/index.ts
-var import_utils21 = require("@openid4vc/utils");
+var import_utils22 = require("@openid4vc/utils");
 // src/credential-request/credential-request-configurations.ts
 var import_utils6 = require("@openid4vc/utils");
@@ -276,7 +277,7 @@ var import_utils4 = require("@openid4vc/utils");
 var import_zod12 = __toESM(require("zod"));
 // src/formats/credential/mso-mdoc/z-mso-mdoc.ts
-var import_zod3 = __toESM(require("zod"));
+var import_zod5 = __toESM(require("zod"));
 // src/metadata/credential-issuer/z-claims-description.ts
 var import_zod2 = __toESM(require("zod"));
@@ -306,98 +307,196 @@ var zMsoMdocIssuerMetadataClaimsDescription = zIssuerMetadataClaimsDescription.e
   path: zMsoMdocClaimsDescriptionPath
 });
+// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
+var import_zod4 = __toESM(require("zod"));
+// src/key-attestation/z-key-attestation.ts
+var import_oauth23 = require("@openid4vc/oauth2");
+var import_utils3 = require("@openid4vc/utils");
+var import_zod3 = __toESM(require("zod"));
+var zKeyAttestationJwtHeader = import_zod3.default.object({
+  ...import_oauth23.zJwtHeader.shape,
+  typ: import_zod3.default.literal("keyattestation+jwt").or(
+    // Draft 16
+    import_zod3.default.literal("key-attestation+jwt")
+  )
+}).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
+  message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
+}).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
+  message: `When 'trust_chain' is provided, 'kid' is required`
+});
+var zIso18045 = import_zod3.default.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
+var zIso18045OrStringArray = import_zod3.default.array(import_zod3.default.union([zIso18045, import_zod3.default.string()]));
+var zKeyAttestationJwtPayload = import_zod3.default.object({
+  ...import_oauth23.zJwtPayload.shape,
+  iat: import_utils3.zInteger,
+  attested_keys: import_zod3.default.array(import_oauth23.zJwk),
+  key_storage: import_zod3.default.optional(zIso18045OrStringArray),
+  user_authentication: import_zod3.default.optional(zIso18045OrStringArray),
+  certification: import_zod3.default.optional(import_zod3.default.string().url())
+}).passthrough();
+var zKeyAttestationJwtPayloadForUse = (use) => import_zod3.default.object({
+  ...zKeyAttestationJwtPayload.shape,
+  // REQUIRED when used as proof_type.attesation directly
+  nonce: use === "proof_type.attestation" ? import_zod3.default.string({
+    message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly`
+  }) : import_zod3.default.optional(import_zod3.default.string()),
+  // REQUIRED when used within header of proof_type.jwt
+  exp: use === "proof_type.jwt" ? import_utils3.zInteger : import_zod3.default.optional(import_utils3.zInteger)
+}).passthrough();
+// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
+var zCredentialConfigurationSupportedCommonCredentialMetadata = import_zod4.default.object({
+  display: import_zod4.default.array(
+    import_zod4.default.object({
+      name: import_zod4.default.string(),
+      locale: import_zod4.default.string().optional(),
+      logo: import_zod4.default.object({
+        // FIXME: make required again, but need to support draft 11 first
+        uri: import_zod4.default.string().optional(),
+        alt_text: import_zod4.default.string().optional()
+      }).passthrough().optional(),
+      description: import_zod4.default.string().optional(),
+      background_color: import_zod4.default.string().optional(),
+      background_image: import_zod4.default.object({
+        // TODO: should be required, but paradym's metadata is wrong here.
+        uri: import_zod4.default.string().optional()
+      }).passthrough().optional(),
+      text_color: import_zod4.default.string().optional()
+    }).passthrough()
+  ).optional()
+});
+var zCredentialConfigurationSupportedCommon = import_zod4.default.object({
+  format: import_zod4.default.string(),
+  scope: import_zod4.default.string().optional(),
+  cryptographic_binding_methods_supported: import_zod4.default.array(import_zod4.default.string()).optional(),
+  credential_signing_alg_values_supported: import_zod4.default.array(import_zod4.default.string()).or(import_zod4.default.array(import_zod4.default.number())).optional(),
+  proof_types_supported: import_zod4.default.record(
+    import_zod4.default.union([import_zod4.default.literal("jwt"), import_zod4.default.literal("attestation"), import_zod4.default.string()]),
+    import_zod4.default.object({
+      proof_signing_alg_values_supported: import_zod4.default.array(import_zod4.default.string()),
+      key_attestations_required: import_zod4.default.object({
+        key_storage: zIso18045OrStringArray.optional(),
+        user_authentication: zIso18045OrStringArray.optional()
+      }).passthrough().optional()
+    })
+  ).optional(),
+  credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.optional()
+}).passthrough();
 // src/formats/credential/mso-mdoc/z-mso-mdoc.ts
-var zMsoMdocFormatIdentifier = import_zod3.default.literal("mso_mdoc");
-var zMsoMdocCredentialIssuerMetadata = import_zod3.default.object({
+var zMsoMdocFormatIdentifier = import_zod5.default.literal("mso_mdoc");
+var zMsoMdocCredentialIssuerMetadata = import_zod5.default.object({
   format: zMsoMdocFormatIdentifier,
-  doctype: import_zod3.default.string(),
-  claims: import_zod3.default.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
+  doctype: import_zod5.default.string(),
+  credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({
+    claims: import_zod5.default.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
+  }).optional()
 });
-var zMsoMdocCredentialIssuerMetadataDraft14 = import_zod3.default.object({
+var zMsoMdocCredentialIssuerMetadataDraft15 = import_zod5.default.object({
   format: zMsoMdocFormatIdentifier,
-  doctype: import_zod3.default.string(),
+  doctype: import_zod5.default.string(),
+  claims: import_zod5.default.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
+});
+var zMsoMdocCredentialIssuerMetadataDraft14 = import_zod5.default.object({
+  format: zMsoMdocFormatIdentifier,
+  doctype: import_zod5.default.string(),
   claims: zCredentialConfigurationSupportedClaimsDraft14.optional(),
-  order: import_zod3.default.optional(import_zod3.default.array(import_zod3.default.string()))
+  order: import_zod5.default.optional(import_zod5.default.array(import_zod5.default.string()))
 });
-var zMsoMdocCredentialRequestFormatDraft14 = import_zod3.default.object({
+var zMsoMdocCredentialRequestFormatDraft14 = import_zod5.default.object({
   format: zMsoMdocFormatIdentifier,
-  doctype: import_zod3.default.string(),
+  doctype: import_zod5.default.string(),
   // Format based request is removed in Draft 15, so only old claims syntax supported.
-  claims: import_zod3.default.optional(zCredentialConfigurationSupportedClaimsDraft14)
+  claims: import_zod5.default.optional(zCredentialConfigurationSupportedClaimsDraft14)
 });
 // src/formats/credential/sd-jwt-vc/z-sd-jwt-vc.ts
-var import_zod4 = __toESM(require("zod"));
-var zSdJwtVcFormatIdentifier = import_zod4.default.literal("vc+sd-jwt");
-var zSdJwtVcCredentialIssuerMetadataDraft14 = import_zod4.default.object({
-  vct: import_zod4.default.string(),
+var import_zod6 = __toESM(require("zod"));
+var zSdJwtVcFormatIdentifier = import_zod6.default.literal("vc+sd-jwt");
+var zSdJwtVcCredentialIssuerMetadataDraft14 = import_zod6.default.object({
+  vct: import_zod6.default.string(),
   format: zSdJwtVcFormatIdentifier,
-  claims: import_zod4.default.optional(zCredentialConfigurationSupportedClaimsDraft14),
-  order: import_zod4.default.optional(import_zod4.default.array(import_zod4.default.string()))
+  claims: import_zod6.default.optional(zCredentialConfigurationSupportedClaimsDraft14),
+  order: import_zod6.default.optional(import_zod6.default.array(import_zod6.default.string()))
 });
-var zSdJwtVcCredentialRequestFormatDraft14 = import_zod4.default.object({
+var zSdJwtVcCredentialRequestFormatDraft14 = import_zod6.default.object({
   format: zSdJwtVcFormatIdentifier,
-  vct: import_zod4.default.string(),
-  claims: import_zod4.default.optional(zCredentialConfigurationSupportedClaimsDraft14)
+  vct: import_zod6.default.string(),
+  claims: import_zod6.default.optional(zCredentialConfigurationSupportedClaimsDraft14)
 });
 // src/formats/credential/sd-jwt-dc/z-sd-jwt-dc.ts
-var import_zod5 = __toESM(require("zod"));
-var zSdJwtDcFormatIdentifier = import_zod5.default.literal("dc+sd-jwt");
-var zSdJwtDcCredentialIssuerMetadata = import_zod5.default.object({
-  vct: import_zod5.default.string(),
+var import_zod7 = __toESM(require("zod"));
+var zSdJwtDcFormatIdentifier = import_zod7.default.literal("dc+sd-jwt");
+var zSdJwtDcCredentialIssuerMetadata = import_zod7.default.object({
+  vct: import_zod7.default.string(),
+  format: zSdJwtDcFormatIdentifier,
+  credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({
+    claims: import_zod7.default.array(zIssuerMetadataClaimsDescription).optional()
+  }).optional()
+});
+var zSdJwtDcCredentialIssuerMetadataDraft15 = import_zod7.default.object({
+  vct: import_zod7.default.string(),
   format: zSdJwtDcFormatIdentifier,
-  claims: import_zod5.default.array(zIssuerMetadataClaimsDescription).optional()
+  claims: import_zod7.default.array(zIssuerMetadataClaimsDescription).optional()
 });
 // src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
-var import_zod7 = __toESM(require("zod"));
+var import_zod9 = __toESM(require("zod"));
 // src/formats/credential/w3c-vc/z-w3c-vc-common.ts
-var import_zod6 = __toESM(require("zod"));
-var zCredentialSubjectLeafTypeDraft14 = import_zod6.default.object({
-  mandatory: import_zod6.default.boolean().optional(),
-  value_type: import_zod6.default.string().optional(),
-  display: import_zod6.default.array(
-    import_zod6.default.object({
-      name: import_zod6.default.string().optional(),
-      locale: import_zod6.default.string().optional()
+var import_zod8 = __toESM(require("zod"));
+var zCredentialSubjectLeafTypeDraft14 = import_zod8.default.object({
+  mandatory: import_zod8.default.boolean().optional(),
+  value_type: import_zod8.default.string().optional(),
+  display: import_zod8.default.array(
+    import_zod8.default.object({
+      name: import_zod8.default.string().optional(),
+      locale: import_zod8.default.string().optional()
     }).passthrough()
   ).optional()
 }).passthrough();
-var zClaimValueSchemaDraft14 = import_zod6.default.union([
-  import_zod6.default.array(import_zod6.default.any()),
-  import_zod6.default.record(import_zod6.default.string(), import_zod6.default.any()),
+var zClaimValueSchemaDraft14 = import_zod8.default.union([
+  import_zod8.default.array(import_zod8.default.any()),
+  import_zod8.default.record(import_zod8.default.string(), import_zod8.default.any()),
   zCredentialSubjectLeafTypeDraft14
 ]);
-var zW3cVcCredentialSubjectDraft14 = import_zod6.default.record(import_zod6.default.string(), zClaimValueSchemaDraft14);
-var zW3cVcJsonLdCredentialDefinition = import_zod6.default.object({
-  "@context": import_zod6.default.array(import_zod6.default.string()),
-  type: import_zod6.default.array(import_zod6.default.string())
+var zW3cVcCredentialSubjectDraft14 = import_zod8.default.record(import_zod8.default.string(), zClaimValueSchemaDraft14);
+var zW3cVcJsonLdCredentialDefinition = import_zod8.default.object({
+  "@context": import_zod8.default.array(import_zod8.default.string()),
+  type: import_zod8.default.array(import_zod8.default.string())
 }).passthrough();
 var zW3cVcJsonLdCredentialDefinitionDraft14 = zW3cVcJsonLdCredentialDefinition.extend({
   credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 });
 // src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
-var zLdpVcFormatIdentifier = import_zod7.default.literal("ldp_vc");
-var zLdpVcCredentialIssuerMetadata = import_zod7.default.object({
+var zLdpVcFormatIdentifier = import_zod9.default.literal("ldp_vc");
+var zLdpVcCredentialIssuerMetadata = import_zod9.default.object({
+  format: zLdpVcFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinition,
+  credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({
+    claims: zIssuerMetadataClaimsDescription.optional()
+  }).optional()
+});
+var zLdpVcCredentialIssuerMetadataDraft15 = import_zod9.default.object({
   format: zLdpVcFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition,
   claims: zIssuerMetadataClaimsDescription.optional()
 });
-var zLdpVcCredentialIssuerMetadataDraft14 = import_zod7.default.object({
+var zLdpVcCredentialIssuerMetadataDraft14 = import_zod9.default.object({
   format: zLdpVcFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
-  order: import_zod7.default.array(import_zod7.default.string()).optional()
+  order: import_zod9.default.array(import_zod9.default.string()).optional()
 });
-var zLdpVcCredentialIssuerMetadataDraft11 = import_zod7.default.object({
-  order: import_zod7.default.array(import_zod7.default.string()).optional(),
+var zLdpVcCredentialIssuerMetadataDraft11 = import_zod9.default.object({
+  order: import_zod9.default.array(import_zod9.default.string()).optional(),
   format: zLdpVcFormatIdentifier,
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
-  "@context": import_zod7.default.array(import_zod7.default.string()),
-  types: import_zod7.default.array(import_zod7.default.string()),
+  "@context": import_zod9.default.array(import_zod9.default.string()),
+  types: import_zod9.default.array(import_zod9.default.string()),
   credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDraft11.transform(
@@ -416,16 +515,16 @@ var zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadataDr
   ...credentialDefinition,
   types: type
 })).pipe(zLdpVcCredentialIssuerMetadataDraft11);
-var zLdpVcCredentialRequestFormatDraft14 = import_zod7.default.object({
+var zLdpVcCredentialRequestFormatDraft14 = import_zod9.default.object({
   format: zLdpVcFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14
 });
-var zLdpVcCredentialRequestDraft11 = import_zod7.default.object({
+var zLdpVcCredentialRequestDraft11 = import_zod9.default.object({
   format: zLdpVcFormatIdentifier,
-  credential_definition: import_zod7.default.object({
-    "@context": import_zod7.default.array(import_zod7.default.string()),
+  credential_definition: import_zod9.default.object({
+    "@context": import_zod9.default.array(import_zod9.default.string()),
     // credential_definition was using types instead of type in v11
-    types: import_zod7.default.array(import_zod7.default.string()),
+    types: import_zod9.default.array(import_zod9.default.string()),
     credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
   })
 }).passthrough();
@@ -447,25 +546,32 @@ var zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormatDraft14.pa
 })).pipe(zLdpVcCredentialRequestDraft11);
 // src/formats/credential/w3c-vc/z-w3c-jwt-vc-json-ld.ts
-var import_zod8 = __toESM(require("zod"));
-var zJwtVcJsonLdFormatIdentifier = import_zod8.default.literal("jwt_vc_json-ld");
-var zJwtVcJsonLdCredentialIssuerMetadata = import_zod8.default.object({
+var import_zod10 = __toESM(require("zod"));
+var zJwtVcJsonLdFormatIdentifier = import_zod10.default.literal("jwt_vc_json-ld");
+var zJwtVcJsonLdCredentialIssuerMetadata = import_zod10.default.object({
+  format: zJwtVcJsonLdFormatIdentifier,
+  credential_definition: zW3cVcJsonLdCredentialDefinition,
+  credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({
+    claims: zIssuerMetadataClaimsDescription.optional()
+  }).optional()
+});
+var zJwtVcJsonLdCredentialIssuerMetadataDraft15 = import_zod10.default.object({
   format: zJwtVcJsonLdFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition,
   claims: zIssuerMetadataClaimsDescription.optional()
 });
-var zJwtVcJsonLdCredentialIssuerMetadataDraft14 = import_zod8.default.object({
+var zJwtVcJsonLdCredentialIssuerMetadataDraft14 = import_zod10.default.object({
   format: zJwtVcJsonLdFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
-  order: import_zod8.default.optional(import_zod8.default.array(import_zod8.default.string()))
+  order: import_zod10.default.optional(import_zod10.default.array(import_zod10.default.string()))
 });
-var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = import_zod8.default.object({
-  order: import_zod8.default.array(import_zod8.default.string()).optional(),
+var zJwtVcJsonLdCredentialIssuerMetadataDraft11 = import_zod10.default.object({
+  order: import_zod10.default.array(import_zod10.default.string()).optional(),
   format: zJwtVcJsonLdFormatIdentifier,
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
-  "@context": import_zod8.default.array(import_zod8.default.string()),
-  types: import_zod8.default.array(import_zod8.default.string()),
+  "@context": import_zod10.default.array(import_zod10.default.string()),
+  types: import_zod10.default.array(import_zod10.default.string()),
   credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssuerMetadataDraft11.transform(
@@ -484,17 +590,17 @@ var zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssu
   ...credentialDefinition,
   types: type
 })).pipe(zJwtVcJsonLdCredentialIssuerMetadataDraft11);
-var zJwtVcJsonLdCredentialRequestFormatDraft14 = import_zod8.default.object({
+var zJwtVcJsonLdCredentialRequestFormatDraft14 = import_zod10.default.object({
   format: zJwtVcJsonLdFormatIdentifier,
   credential_definition: zW3cVcJsonLdCredentialDefinition
 });
-var zJwtVcJsonLdCredentialRequestDraft11 = import_zod8.default.object({
+var zJwtVcJsonLdCredentialRequestDraft11 = import_zod10.default.object({
   format: zJwtVcJsonLdFormatIdentifier,
-  credential_definition: import_zod8.default.object({
-    "@context": import_zod8.default.array(import_zod8.default.string()),
+  credential_definition: import_zod10.default.object({
+    "@context": import_zod10.default.array(import_zod10.default.string()),
     // credential_definition was using types instead of type in v11
-    types: import_zod8.default.array(import_zod8.default.string()),
-    credentialSubject: import_zod8.default.optional(zW3cVcCredentialSubjectDraft14)
+    types: import_zod10.default.array(import_zod10.default.string()),
+    credentialSubject: import_zod10.default.optional(zW3cVcCredentialSubjectDraft14)
   }).passthrough()
 }).passthrough();
 var zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraft11.transform(
@@ -515,30 +621,37 @@ var zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestForm
 })).pipe(zJwtVcJsonLdCredentialRequestDraft11);
 // src/formats/credential/w3c-vc/z-w3c-jwt-vc-json.ts
-var import_zod9 = __toESM(require("zod"));
-var zJwtVcJsonFormatIdentifier = import_zod9.default.literal("jwt_vc_json");
-var zJwtVcJsonCredentialDefinition = import_zod9.default.object({
-  type: import_zod9.default.array(import_zod9.default.string())
+var import_zod11 = __toESM(require("zod"));
+var zJwtVcJsonFormatIdentifier = import_zod11.default.literal("jwt_vc_json");
+var zJwtVcJsonCredentialDefinition = import_zod11.default.object({
+  type: import_zod11.default.array(import_zod11.default.string())
 }).passthrough();
 var zJwtVcJsonCredentialDefinitionDraft14 = zJwtVcJsonCredentialDefinition.extend({
   credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 });
-var zJwtVcJsonCredentialIssuerMetadata = import_zod9.default.object({
+var zJwtVcJsonCredentialIssuerMetadata = import_zod11.default.object({
+  format: zJwtVcJsonFormatIdentifier,
+  credential_definition: zJwtVcJsonCredentialDefinition,
+  credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({
+    claims: zIssuerMetadataClaimsDescription.optional()
+  }).optional()
+});
+var zJwtVcJsonCredentialIssuerMetadataDraft15 = import_zod11.default.object({
   format: zJwtVcJsonFormatIdentifier,
   credential_definition: zJwtVcJsonCredentialDefinition,
   claims: zIssuerMetadataClaimsDescription.optional()
 });
-var zJwtVcJsonCredentialIssuerMetadataDraft14 = import_zod9.default.object({
+var zJwtVcJsonCredentialIssuerMetadataDraft14 = import_zod11.default.object({
   format: zJwtVcJsonFormatIdentifier,
   credential_definition: zJwtVcJsonCredentialDefinitionDraft14,
-  order: import_zod9.default.array(import_zod9.default.string()).optional()
+  order: import_zod11.default.array(import_zod11.default.string()).optional()
 });
-var zJwtVcJsonCredentialIssuerMetadataDraft11 = import_zod9.default.object({
+var zJwtVcJsonCredentialIssuerMetadataDraft11 = import_zod11.default.object({
   format: zJwtVcJsonFormatIdentifier,
-  order: import_zod9.default.array(import_zod9.default.string()).optional(),
+  order: import_zod11.default.array(import_zod11.default.string()).optional(),
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
-  types: import_zod9.default.array(import_zod9.default.string()),
+  types: import_zod11.default.array(import_zod11.default.string()),
   credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).passthrough();
 var zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMetadataDraft11.transform(
@@ -556,16 +669,16 @@ var zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMe
   types: type,
   ...credentialDefinition
 })).pipe(zJwtVcJsonCredentialIssuerMetadataDraft11);
-var zJwtVcJsonCredentialRequestFormatDraft14 = import_zod9.default.object({
+var zJwtVcJsonCredentialRequestFormatDraft14 = import_zod11.default.object({
   format: zJwtVcJsonFormatIdentifier,
   credential_definition: zJwtVcJsonCredentialDefinition
 });
-var zJwtVcJsonCredentialRequestDraft11 = import_zod9.default.object({
+var zJwtVcJsonCredentialRequestDraft11 = import_zod11.default.object({
   format: zJwtVcJsonFormatIdentifier,
   // Credential definition was spread on top level instead of a separatey property in v11
   // As well as using types instead of type
-  types: import_zod9.default.array(import_zod9.default.string()),
-  credentialSubject: import_zod9.default.optional(zW3cVcCredentialSubjectDraft14)
+  types: import_zod11.default.array(import_zod11.default.string()),
+  credentialSubject: import_zod11.default.optional(zW3cVcCredentialSubjectDraft14)
 }).passthrough();
 var zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.transform(
   ({ types, credentialSubject, ...rest }) => {
@@ -585,80 +698,6 @@ var zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormatDr
   ...credentialDefinition
 })).pipe(zJwtVcJsonCredentialRequestDraft11);
-// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
-var import_zod11 = __toESM(require("zod"));
-// src/key-attestation/z-key-attestation.ts
-var import_oauth23 = require("@openid4vc/oauth2");
-var import_utils3 = require("@openid4vc/utils");
-var import_zod10 = __toESM(require("zod"));
-var zKeyAttestationJwtHeader = import_zod10.default.object({
-  ...import_oauth23.zJwtHeader.shape,
-  typ: import_zod10.default.literal("keyattestation+jwt").or(
-    // Draft 16
-    import_zod10.default.literal("key-attestation+jwt")
-  )
-}).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, {
-  message: `Both 'jwk' and 'kid' are defined. Only one is allowed`
-}).refine(({ trust_chain, kid }) => !trust_chain || !kid, {
-  message: `When 'trust_chain' is provided, 'kid' is required`
-});
-var zIso18045 = import_zod10.default.enum(["iso_18045_high", "iso_18045_moderate", "iso_18045_enhanced-basic", "iso_18045_basic"]);
-var zIso18045OrStringArray = import_zod10.default.array(import_zod10.default.union([zIso18045, import_zod10.default.string()]));
-var zKeyAttestationJwtPayload = import_zod10.default.object({
-  ...import_oauth23.zJwtPayload.shape,
-  iat: import_utils3.zInteger,
-  attested_keys: import_zod10.default.array(import_oauth23.zJwk),
-  key_storage: import_zod10.default.optional(zIso18045OrStringArray),
-  user_authentication: import_zod10.default.optional(zIso18045OrStringArray),
-  certification: import_zod10.default.optional(import_zod10.default.string().url())
-}).passthrough();
-var zKeyAttestationJwtPayloadForUse = (use) => import_zod10.default.object({
-  ...zKeyAttestationJwtPayload.shape,
-  // REQUIRED when used as proof_type.attesation directly
-  nonce: use === "proof_type.attestation" ? import_zod10.default.string({
-    message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly`
-  }) : import_zod10.default.optional(import_zod10.default.string()),
-  // REQUIRED when used within header of proof_type.jwt
-  exp: use === "proof_type.jwt" ? import_utils3.zInteger : import_zod10.default.optional(import_utils3.zInteger)
-}).passthrough();
-// src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
-var zCredentialConfigurationSupportedCommon = import_zod11.default.object({
-  format: import_zod11.default.string(),
-  scope: import_zod11.default.string().optional(),
-  cryptographic_binding_methods_supported: import_zod11.default.array(import_zod11.default.string()).optional(),
-  credential_signing_alg_values_supported: import_zod11.default.array(import_zod11.default.string()).optional(),
-  proof_types_supported: import_zod11.default.record(
-    import_zod11.default.union([import_zod11.default.literal("jwt"), import_zod11.default.literal("attestation"), import_zod11.default.string()]),
-    import_zod11.default.object({
-      proof_signing_alg_values_supported: import_zod11.default.array(import_zod11.default.string()),
-      key_attestations_required: import_zod11.default.object({
-        key_storage: zIso18045OrStringArray.optional(),
-        user_authentication: zIso18045OrStringArray.optional()
-      }).passthrough().optional()
-    })
-  ).optional(),
-  display: import_zod11.default.array(
-    import_zod11.default.object({
-      name: import_zod11.default.string(),
-      locale: import_zod11.default.string().optional(),
-      logo: import_zod11.default.object({
-        // FIXME: make required again, but need to support draft 11 first
-        uri: import_zod11.default.string().optional(),
-        alt_text: import_zod11.default.string().optional()
-      }).passthrough().optional(),
-      description: import_zod11.default.string().optional(),
-      background_color: import_zod11.default.string().optional(),
-      background_image: import_zod11.default.object({
-        // TODO: should be required, but paradym's metadata is wrong here.
-        uri: import_zod11.default.string().optional()
-      }).passthrough().optional(),
-      text_color: import_zod11.default.string().optional()
-    }).passthrough()
-  ).optional()
-}).passthrough();
 // src/metadata/credential-issuer/z-credential-issuer-metadata.ts
 var allCredentialIssuerMetadataFormats = [
   zSdJwtDcCredentialIssuerMetadata,
@@ -666,6 +705,11 @@ var allCredentialIssuerMetadataFormats = [
   zJwtVcJsonLdCredentialIssuerMetadata,
   zLdpVcCredentialIssuerMetadata,
   zJwtVcJsonCredentialIssuerMetadata,
+  zSdJwtDcCredentialIssuerMetadataDraft15,
+  zMsoMdocCredentialIssuerMetadataDraft15,
+  zJwtVcJsonLdCredentialIssuerMetadataDraft15,
+  zLdpVcCredentialIssuerMetadataDraft15,
+  zJwtVcJsonCredentialIssuerMetadataDraft15,
   zMsoMdocCredentialIssuerMetadataDraft14,
   zSdJwtVcCredentialIssuerMetadataDraft14,
   zJwtVcJsonLdCredentialIssuerMetadataDraft14,
@@ -710,7 +754,7 @@ var zCredentialIssuerMetadataDisplayEntry = import_zod12.default.object({
     alt_text: import_zod12.default.string().optional()
   }).passthrough().optional()
 }).passthrough();
-var zCredentialIssuerMetadataDraft14Draft15 = import_zod12.default.object({
+var zCredentialIssuerMetadataDraft14Draft15Draft16 = import_zod12.default.object({
   credential_issuer: import_utils4.zHttpsUrl,
   authorization_servers: import_zod12.default.array(import_utils4.zHttpsUrl).optional(),
   credential_endpoint: import_utils4.zHttpsUrl,
@@ -783,7 +827,13 @@ var zCredentialConfigurationSupportedDraft11To14 = import_zod12.default.object({
   }
   return import_zod12.default.NEVER;
 }).pipe(zCredentialConfigurationSupportedWithFormats);
-var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSupportedWithFormats.and(
+var zCredentialConfigurationSupportedDraft16To15 = zCredentialConfigurationSupportedWithFormats.transform(
+  ({ credential_metadata, ...rest }) => ({
+    ...credential_metadata,
+    ...rest
+  })
+);
+var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSupportedDraft16To15.and(
   import_zod12.default.object({
     id: import_zod12.default.string()
   }).passthrough()
@@ -810,7 +860,7 @@ var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSuppo
     zJwtVcJsonCredentialIssuerMetadataDraft14To11,
     zJwtVcJsonLdCredentialIssuerMetadataDraft14To11,
     // To handle unrecognized formats and not error immediately we allow the common format as well
-    // but they can't use any of the foramt identifiers that have a specific transformation. This way if a format is
+    // but they can't use any of the format identifiers that have a specific transformation. This way if a format is
     // has a transformation it NEEDS to use the format specific transformation, and otherwise we fall back to the common validation
     import_zod12.default.object({
       format: import_zod12.default.string().refine(
@@ -823,7 +873,7 @@ var zCredentialConfigurationSupportedDraft14To11 = zCredentialConfigurationSuppo
     }).passthrough()
   ])
 );
-var zCredentialIssuerMetadataDraft11To14 = import_zod12.default.object({
+var zCredentialIssuerMetadataDraft11To16 = import_zod12.default.object({
   authorization_server: import_zod12.default.string().optional(),
   credentials_supported: import_zod12.default.array(
     import_zod12.default.object({
@@ -841,11 +891,11 @@ var zCredentialIssuerMetadataDraft11To14 = import_zod12.default.object({
   };
 }).pipe(
   import_zod12.default.object({
-    // Update from v11 structrue to v14 structure
+    // Update from v11 structure to v14 structure
     credential_configurations_supported: import_zod12.default.record(import_zod12.default.string(), zCredentialConfigurationSupportedDraft11To14)
   }).passthrough()
-).pipe(zCredentialIssuerMetadataDraft14Draft15);
-var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15.transform((issuerMetadata) => ({
+).pipe(zCredentialIssuerMetadataDraft14Draft15Draft16);
+var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15Draft16.transform((issuerMetadata) => ({
   ...issuerMetadata,
   ...issuerMetadata.authorization_servers ? { authorization_server: issuerMetadata.authorization_servers[0] } : {},
   credentials_supported: Object.entries(issuerMetadata.credential_configurations_supported).map(([id, value]) => ({
@@ -853,37 +903,39 @@ var zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft
     id
   }))
 })).pipe(
-  zCredentialIssuerMetadataDraft14Draft15.extend({
+  zCredentialIssuerMetadataDraft14Draft15Draft16.extend({
     credentials_supported: import_zod12.default.array(zCredentialConfigurationSupportedDraft14To11)
   })
 );
 var zCredentialIssuerMetadata = import_zod12.default.union([
-  // First prioritize draft 15/14 (and 13)
-  zCredentialIssuerMetadataDraft14Draft15,
-  // Then try parsing draft 11 and transform into draft 14
-  zCredentialIssuerMetadataDraft11To14
+  // First prioritize draft 16/15/14 (and 13)
+  zCredentialIssuerMetadataDraft14Draft15Draft16,
+  // Then try parsing draft 11 and transform into draft 16
+  zCredentialIssuerMetadataDraft11To16
 ]);
 var zCredentialIssuerMetadataWithDraftVersion = import_zod12.default.union([
-  zCredentialIssuerMetadataDraft14Draft15.transform((credentialIssuerMetadata) => {
-    const isDraft15 = Object.values(credentialIssuerMetadata.credential_configurations_supported).some(
-      (configuration) => {
-        const knownConfiguration = configuration;
-        if (knownConfiguration.format === zSdJwtDcFormatIdentifier.value) return true;
-        if (Array.isArray(knownConfiguration.claims)) return true;
-        if (Object.values(knownConfiguration.proof_types_supported ?? {}).some(
-          (proofType) => proofType.key_attestations_required !== void 0
-        ))
-          return true;
-        return false;
-      }
-    );
+  zCredentialIssuerMetadataDraft14Draft15Draft16.transform((credentialIssuerMetadata) => {
+    const credentialConfigurations = Object.values(credentialIssuerMetadata.credential_configurations_supported);
+    const isDraft15 = credentialConfigurations.some((configuration) => {
+      const knownConfiguration = configuration;
+      if (knownConfiguration.format === zSdJwtDcFormatIdentifier.value) return true;
+      if (Array.isArray(knownConfiguration.claims)) return true;
+      if (Object.values(knownConfiguration.proof_types_supported ?? {}).some(
+        (proofType) => proofType.key_attestations_required !== void 0
+      ))
+        return true;
+      return false;
+    });
+    const isDraft16 = credentialConfigurations.some((configuration) => {
+      return configuration.credential_metadata;
+    });
     return {
       credentialIssuerMetadata,
-      originalDraftVersion: isDraft15 ? "Draft15" /* Draft15 */ : "Draft14" /* Draft14 */
+      originalDraftVersion: isDraft16 ? "Draft16" /* Draft16 */ : isDraft15 ? "Draft15" /* Draft15 */ : "Draft14" /* Draft14 */
     };
   }),
   // Then try parsing draft 11 and transform into draft 14
-  zCredentialIssuerMetadataDraft11To14.transform((credentialIssuerMetadata) => ({
+  zCredentialIssuerMetadataDraft11To16.transform((credentialIssuerMetadata) => ({
     credentialIssuerMetadata,
     originalDraftVersion: "Draft11" /* Draft11 */
   }))
@@ -1071,7 +1123,7 @@ function credentialsSupportedToCredentialConfigurationsSupported(credentialsSupp
 }
 // src/Openid4vciClient.ts
-var import_oauth218 = require("@openid4vc/oauth2");
+var import_oauth219 = require("@openid4vc/oauth2");
 // src/credential-request/format-payload.ts
 var import_utils10 = require("@openid4vc/utils");
@@ -1129,10 +1181,11 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
 }
 // src/credential-request/retrieve-credentials.ts
-var import_oauth212 = require("@openid4vc/oauth2");
+var import_oauth213 = require("@openid4vc/oauth2");
 var import_utils12 = require("@openid4vc/utils");
 // src/credential-request/z-credential-request.ts
+var import_oauth212 = require("@openid4vc/oauth2");
 var import_zod16 = __toESM(require("zod"));
 // src/credential-request/z-credential-request-common.ts
@@ -1233,7 +1286,7 @@ var zCredentialRequestFormat = import_zod16.default.object({
   credential_identifier: import_zod16.default.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional(),
   credential_configuration_id: import_zod16.default.never({ message: "'credential_configuration_id' cannot be defined when 'format' is set." }).optional()
 }).passthrough();
-var zCredenialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
+var zCredentialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
   if (!allCredentialRequestFormatIdentifiers.includes(
     data.format
   ))
@@ -1252,7 +1305,7 @@ var zCredentialRequestDraft15 = import_zod16.default.union([
   zCredentialRequestCommon.and(zCredentialRequestCredentialConfigurationId)
 ]);
 var zCredentialRequestDraft14 = import_zod16.default.union([
-  zCredenialRequestDraft14WithFormat,
+  zCredentialRequestDraft14WithFormat,
   zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest)
 ]);
 var zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
@@ -1293,6 +1346,14 @@ var zCredentialRequest = import_zod16.default.union([
   zCredentialRequestDraft14,
   zCredentialRequestDraft11To14
 ]);
+var zDeferredCredentialRequest = import_zod16.default.object({
+  transaction_id: import_zod16.default.string().nonempty(),
+  credential_response_encryption: import_zod16.default.object({
+    jwk: import_oauth212.zJwk,
+    alg: import_zod16.default.string(),
+    enc: import_zod16.default.string()
+  }).passthrough().optional()
+});
 // src/credential-request/z-credential-response.ts
 var import_zod18 = __toESM(require("zod"));
@@ -1317,11 +1378,14 @@ var Oauth2ErrorCodes = /* @__PURE__ */ ((Oauth2ErrorCodes4) => {
   Oauth2ErrorCodes4["InsufficientAuthorization"] = "insufficient_authorization";
   Oauth2ErrorCodes4["InvalidCredentialRequest"] = "invalid_credential_request";
   Oauth2ErrorCodes4["CredentialRequestDenied"] = "credential_request_denied";
-  Oauth2ErrorCodes4["UnsupportedCredentialType"] = "unsupported_credential_type";
-  Oauth2ErrorCodes4["UnsupportedCredentialFormat"] = "unsupported_credential_format";
   Oauth2ErrorCodes4["InvalidProof"] = "invalid_proof";
   Oauth2ErrorCodes4["InvalidNonce"] = "invalid_nonce";
   Oauth2ErrorCodes4["InvalidEncryptionParameters"] = "invalid_encryption_parameters";
+  Oauth2ErrorCodes4["UnknownCredentialConfiguration"] = "unknown_credential_configuration";
+  Oauth2ErrorCodes4["UnknownCredentialIdentifier"] = "unknown_credential_identifier";
+  Oauth2ErrorCodes4["InvalidTransactionId"] = "invalid_transaction_id";
+  Oauth2ErrorCodes4["UnsupportedCredentialType"] = "unsupported_credential_type";
+  Oauth2ErrorCodes4["UnsupportedCredentialFormat"] = "unsupported_credential_format";
   Oauth2ErrorCodes4["InvalidRequestUri"] = "invalid_request_uri";
   Oauth2ErrorCodes4["InvalidRequestObject"] = "invalid_request_object";
   Oauth2ErrorCodes4["RequestNotSupported"] = "request_not_supported";
@@ -1343,33 +1407,57 @@ var zOauth2ErrorResponse = import_zod17.default.object({
 // src/credential-request/z-credential-response.ts
 var zCredentialEncoding = import_zod18.default.union([import_zod18.default.string(), import_zod18.default.record(import_zod18.default.string(), import_zod18.default.any())]);
-var zCredentialResponse = import_zod18.default.object({
-  credential: import_zod18.default.optional(zCredentialEncoding),
+var zBaseCredentialResponse = import_zod18.default.object({
   credentials: import_zod18.default.optional(import_zod18.default.array(zCredentialEncoding)),
+  interval: import_zod18.default.number().int().positive().optional(),
+  notification_id: import_zod18.default.string().optional()
+}).passthrough();
+var zCredentialResponse = zBaseCredentialResponse.extend({
+  credential: import_zod18.default.optional(zCredentialEncoding),
   transaction_id: import_zod18.default.string().optional(),
   c_nonce: import_zod18.default.string().optional(),
-  c_nonce_expires_in: import_zod18.default.number().int().optional(),
-  notification_id: import_zod18.default.string().optional()
-}).passthrough().refine(
-  (value) => {
-    const { credential, credentials, transaction_id } = value;
-    return [credential, credentials, transaction_id].filter((i) => i !== void 0).length === 1;
-  },
-  {
-    message: `Exactly one of 'credential', 'credentials', or 'transaction_id' MUST be defined.`
+  c_nonce_expires_in: import_zod18.default.number().int().optional()
+}).passthrough().superRefine((value, ctx) => {
+  const { credential, credentials, transaction_id, interval, notification_id } = value;
+  if ([credential, credentials, transaction_id].filter((i) => i !== void 0).length !== 1) {
+    ctx.addIssue({
+      code: import_zod18.default.ZodIssueCode.custom,
+      message: `Exactly one of 'credential', 'credentials', or 'transaction_id' MUST be defined.`
+    });
   }
-);
+  if (transaction_id && !interval) {
+    ctx.addIssue({
+      code: import_zod18.default.ZodIssueCode.custom,
+      message: `'interval' MUST be defined when 'transaction_id' is defined.`
+    });
+  }
+  if (notification_id && !(credentials || credential)) {
+    ctx.addIssue({
+      code: import_zod18.default.ZodIssueCode.custom,
+      message: `'notification_id' MUST NOT be defined when 'credential' or 'credentials' are not defined.`
+    });
+  }
+});
 var zCredentialErrorResponse = import_zod18.default.object({
   ...zOauth2ErrorResponse.shape,
   c_nonce: import_zod18.default.string().optional(),
   c_nonce_expires_in: import_zod18.default.number().int().optional()
 }).passthrough();
+var zDeferredCredentialResponse = zBaseCredentialResponse.refine(
+  (value) => {
+    const { credentials, interval } = value;
+    return [credentials, interval].filter((i) => i !== void 0).length === 1;
+  },
+  {
+    message: `Exactly one of 'credentials' or 'interval' MUST be defined.`
+  }
+);
 // src/credential-request/retrieve-credentials.ts
 async function retrieveCredentialsWithCredentialConfigurationId(options) {
-  if (options.issuerMetadata.originalDraftVersion !== "Draft15" /* Draft15 */) {
+  if (options.issuerMetadata.originalDraftVersion !== "Draft15" /* Draft15 */ && options.issuerMetadata.originalDraftVersion !== "Draft16" /* Draft16 */) {
     throw new Openid4vciError(
-      "Requesting credentials based on format is not supported in OpenID4VCI below draft 15. Make sure to provide the format and format specific claims in the request."
+      "Requesting credentials based on credential configuration ID is not supported in OpenID4VCI below draft 15. Make sure to provide the format and format specific claims in the request."
     );
   }
   getCredentialConfigurationSupportedById(
@@ -1391,7 +1479,7 @@ async function retrieveCredentialsWithCredentialConfigurationId(options) {
   });
 }
 async function retrieveCredentialsWithFormat(options) {
-  if (options.issuerMetadata.originalDraftVersion === "Draft15" /* Draft15 */) {
+  if (options.issuerMetadata.originalDraftVersion === "Draft15" /* Draft15 */ || options.issuerMetadata.originalDraftVersion === "Draft16" /* Draft16 */) {
     throw new Openid4vciError(
       "Requesting credentials based on format is not supported in OpenID4VCI draft 15. Provide the credential configuration id directly in the request."
     );
@@ -1420,13 +1508,13 @@ async function retrieveCredentials(options) {
   if (credentialRequest.proofs) {
     const { batch_credential_issuance } = options.issuerMetadata.credentialIssuer;
     if (options.issuerMetadata.originalDraftVersion === "Draft11" /* Draft11 */) {
-      throw new import_oauth212.Oauth2Error(
+      throw new import_oauth213.Oauth2Error(
         `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' does not support batch credential issuance using the 'proofs' request property. Only 'proof' is supported.`
       );
     }
     const proofs = Object.values(credentialRequest.proofs)[0];
     if (proofs.length > (batch_credential_issuance?.batch_size ?? 1)) {
-      throw new import_oauth212.Oauth2Error(
+      throw new import_oauth213.Oauth2Error(
         `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' supports batch issuance, but the max batch size is '${batch_credential_issuance?.batch_size ?? 1}'. A total of '${proofs.length}' proofs were provided.`
       );
     }
@@ -1438,7 +1526,7 @@ async function retrieveCredentials(options) {
       `Error transforming credential request from ${"Draft14" /* Draft14 */} to ${"Draft11" /* Draft11 */}`
     );
   }
-  const resourceResponse = await (0, import_oauth212.resourceRequest)({
+  const resourceResponse = await (0, import_oauth213.resourceRequest)({
     dpop: options.dpop,
     accessToken: options.accessToken,
     callbacks: options.callbacks,
@@ -1471,14 +1559,62 @@ async function retrieveCredentials(options) {
     credentialResponse: credentialResponseResult.data
   };
 }
+async function retrieveDeferredCredentials(options) {
+  const credentialEndpoint = options.issuerMetadata.credentialIssuer.deferred_credential_endpoint;
+  if (!credentialEndpoint) {
+    throw new Openid4vciError(
+      `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' does not support deferred credential retrieval.`
+    );
+  }
+  const deferredCredentialRequest = (0, import_utils12.parseWithErrorHandling)(
+    zDeferredCredentialRequest,
+    {
+      transaction_id: options.transactionId,
+      ...options.additionalRequestPayload
+    },
+    "Error validating deferred credential request"
+  );
+  const resourceResponse = await (0, import_oauth213.resourceRequest)({
+    dpop: options.dpop,
+    accessToken: options.accessToken,
+    callbacks: options.callbacks,
+    url: credentialEndpoint,
+    requestOptions: {
+      method: "POST",
+      headers: {
+        "Content-Type": import_utils12.ContentType.Json
+      },
+      body: JSON.stringify(deferredCredentialRequest)
+    }
+  });
+  if (!resourceResponse.ok) {
+    const deferredCredentialErrorResponseResult = (0, import_utils12.isResponseContentType)(import_utils12.ContentType.Json, resourceResponse.response) ? zCredentialErrorResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
+    return {
+      ...resourceResponse,
+      deferredCredentialErrorResponseResult
+    };
+  }
+  const deferredCredentialResponseResult = (0, import_utils12.isResponseContentType)(import_utils12.ContentType.Json, resourceResponse.response) ? zCredentialResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
+  if (!deferredCredentialResponseResult?.success) {
+    return {
+      ...resourceResponse,
+      ok: false,
+      deferredCredentialResponseResult
+    };
+  }
+  return {
+    ...resourceResponse,
+    deferredCredentialResponse: deferredCredentialResponseResult.data
+  };
+}
 // src/formats/proof-type/jwt/jwt-proof-type.ts
-var import_oauth213 = require("@openid4vc/oauth2");
 var import_oauth214 = require("@openid4vc/oauth2");
+var import_oauth215 = require("@openid4vc/oauth2");
 var import_utils13 = require("@openid4vc/utils");
 async function createCredentialRequestJwtProof(options) {
   const header = (0, import_utils13.parseWithErrorHandling)(zCredentialRequestJwtProofTypeHeader, {
-    ...(0, import_oauth213.jwtHeaderFromJwtSigner)(options.signer),
+    ...(0, import_oauth214.jwtHeaderFromJwtSigner)(options.signer),
     key_attestation: options.keyAttestationJwt,
     typ: "openid4vci-proof+jwt"
   });
@@ -1490,12 +1626,12 @@ async function createCredentialRequestJwtProof(options) {
   });
   const { jwt, signerJwk } = await options.callbacks.signJwt(options.signer, { header, payload });
   if (options.keyAttestationJwt) {
-    const decodedKeyAttestation = (0, import_oauth213.decodeJwt)({
+    const decodedKeyAttestation = (0, import_oauth214.decodeJwt)({
       jwt: options.keyAttestationJwt,
       headerSchema: zKeyAttestationJwtHeader,
       payloadSchema: zKeyAttestationJwtPayload
     });
-    const isSigedWithAttestedKey = await (0, import_oauth213.isJwkInSet)({
+    const isSigedWithAttestedKey = await (0, import_oauth214.isJwkInSet)({
       jwk: signerJwk,
       jwks: decodedKeyAttestation.payload.attested_keys,
       callbacks: options.callbacks
@@ -1509,7 +1645,7 @@ async function createCredentialRequestJwtProof(options) {
   return jwt;
 }
 async function verifyCredentialRequestJwtProof(options) {
-  const { header, payload } = (0, import_oauth213.decodeJwt)({
+  const { header, payload } = (0, import_oauth214.decodeJwt)({
     jwt: options.jwt,
     headerSchema: zCredentialRequestJwtProofTypeHeader,
     payloadSchema: zCredentialRequestJwtProofTypePayload
@@ -1518,11 +1654,11 @@ async function verifyCredentialRequestJwtProof(options) {
   if (options.nonceExpiresAt && now > options.nonceExpiresAt.getTime()) {
     throw new Openid4vciError("Nonce used for credential request proof expired");
   }
-  const { signer } = await (0, import_oauth214.verifyJwt)({
+  const { signer } = await (0, import_oauth215.verifyJwt)({
     compact: options.jwt,
     header,
     payload,
-    signer: (0, import_oauth214.jwtSignerFromJwt)({ header, payload }),
+    signer: (0, import_oauth215.jwtSignerFromJwt)({ header, payload }),
     verifyJwtCallback: options.callbacks.verifyJwt,
     errorMessage: "Error verifiying credential request proof jwt.",
     expectedNonce: options.expectedNonce,
@@ -1537,7 +1673,7 @@ async function verifyCredentialRequestJwtProof(options) {
       keyAttestationJwt: header.key_attestation,
       use: "proof_type.jwt"
     });
-    const isSigedWithAttestedKey = await (0, import_oauth213.isJwkInSet)({
+    const isSigedWithAttestedKey = await (0, import_oauth214.isJwkInSet)({
       jwk: signer.publicJwk,
       jwks: keyAttestationResult.payload.attested_keys,
       callbacks: options.callbacks
@@ -1557,13 +1693,13 @@ async function verifyCredentialRequestJwtProof(options) {
 }
 // src/metadata/fetch-issuer-metadata.ts
-var import_oauth215 = require("@openid4vc/oauth2");
+var import_oauth216 = require("@openid4vc/oauth2");
 var import_utils14 = require("@openid4vc/utils");
 async function resolveIssuerMetadata(credentialIssuer, options) {
   const allowAuthorizationMetadataFromCredentialIssuerMetadata = options?.allowAuthorizationMetadataFromCredentialIssuerMetadata ?? true;
   const credentialIssuerMetadataWithDraftVersion = await fetchCredentialIssuerMetadata(credentialIssuer, options?.fetch);
   if (!credentialIssuerMetadataWithDraftVersion) {
-    throw new import_oauth215.Oauth2Error(`Well known credential issuer metadata for issuer '${credentialIssuer}' not found.`);
+    throw new import_oauth216.Oauth2Error(`Well known credential issuer metadata for issuer '${credentialIssuer}' not found.`);
   }
   const { credentialIssuerMetadata, originalDraftVersion } = credentialIssuerMetadataWithDraftVersion;
   const authorizationServers = credentialIssuerMetadata.authorization_servers ?? [credentialIssuer];
@@ -1572,10 +1708,10 @@ async function resolveIssuerMetadata(credentialIssuer, options) {
     if (options?.restrictToAuthorizationServers && !options.restrictToAuthorizationServers.includes(authorizationServer)) {
       continue;
     }
-    let authorizationServerMetadata = await (0, import_oauth215.fetchAuthorizationServerMetadata)(authorizationServer, options?.fetch);
+    let authorizationServerMetadata = await (0, import_oauth216.fetchAuthorizationServerMetadata)(authorizationServer, options?.fetch);
     if (!authorizationServerMetadata && authorizationServer === credentialIssuer && allowAuthorizationMetadataFromCredentialIssuerMetadata) {
       authorizationServerMetadata = (0, import_utils14.parseWithErrorHandling)(
-        import_oauth215.zAuthorizationServerMetadata,
+        import_oauth216.zAuthorizationServerMetadata,
         {
           token_endpoint: credentialIssuerMetadata.token_endpoint,
           issuer: credentialIssuer
@@ -1584,7 +1720,7 @@ async function resolveIssuerMetadata(credentialIssuer, options) {
       );
     }
     if (!authorizationServerMetadata) {
-      throw new import_oauth215.Oauth2Error(
+      throw new import_oauth216.Oauth2Error(
         `Well known openid configuration or authorization server metadata for authorization server '${authorizationServer}' not found.`
       );
     }
@@ -1598,7 +1734,7 @@ async function resolveIssuerMetadata(credentialIssuer, options) {
 }
 // src/nonce/nonce-request.ts
-var import_oauth216 = require("@openid4vc/oauth2");
+var import_oauth217 = require("@openid4vc/oauth2");
 var import_utils16 = require("@openid4vc/utils");
 // src/nonce/z-nonce.ts
@@ -1622,8 +1758,8 @@ async function requestNonce(options) {
     method: "POST"
   });
   if (!response.ok || !result) {
-    throw new import_oauth216.InvalidFetchResponseError(
-      `Requesting nonce from '${nonceEndpoint}' resulted in an unsuccesfull response with status '${response.status}'`,
+    throw new import_oauth217.InvalidFetchResponseError(
+      `Requesting nonce from '${nonceEndpoint}' resulted in an unsuccessful response with status '${response.status}'`,
       await response.clone().text(),
       response
     );
@@ -1642,7 +1778,7 @@ function createNonceResponse(options) {
 }
 // src/notification/notification.ts
-var import_oauth217 = require("@openid4vc/oauth2");
+var import_oauth218 = require("@openid4vc/oauth2");
 var import_utils17 = require("@openid4vc/utils");
 // src/notification/z-notification.ts
@@ -1658,10 +1794,10 @@ var zNotificationErrorResponse = import_zod20.default.object({
 }).passthrough();
 // src/notification/notification.ts
-async function sendNotifcation(options) {
+async function sendNotification(options) {
   const notificationEndpoint = options.issuerMetadata.credentialIssuer.notification_endpoint;
   if (!notificationEndpoint) {
-    throw new import_oauth217.Oauth2Error(
+    throw new import_oauth218.Oauth2Error(
       `Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' does not have a notification endpiont configured.`
     );
   }
@@ -1674,7 +1810,7 @@ async function sendNotifcation(options) {
     },
     "Error validating notification request"
   );
-  const resourceResponse = await (0, import_oauth217.resourceRequest)({
+  const resourceResponse = await (0, import_oauth218.resourceRequest)({
     dpop: options.dpop,
     accessToken: options.accessToken,
     callbacks: options.callbacks,
@@ -1706,7 +1842,7 @@ var AuthorizationFlow = /* @__PURE__ */ ((AuthorizationFlow2) => {
 var Openid4vciClient = class {
   constructor(options) {
     this.options = options;
-    this.oauth2Client = new import_oauth218.Oauth2Client({
+    this.oauth2Client = new import_oauth219.Oauth2Client({
       callbacks: this.options.callbacks
     });
   }
@@ -1733,23 +1869,23 @@ var Openid4vciClient = class {
    * Retrieve an authorization code for a presentation during issuance session
    *
    * This can only be called if an authorization challenge was performed before and returned a
-   * `presentation` paramater along with an `auth_session`. If the presentation response included
+   * `presentation` parameter along with an `auth_session`. If the presentation response included
    * an `presentation_during_issuance_session` parameter it MUST be included in this request as well.
    */
   async retrieveAuthorizationCodeUsingPresentation(options) {
-    if (!options.credentialOffer.grants?.[import_oauth218.authorizationCodeGrantIdentifier]) {
-      throw new import_oauth218.Oauth2Error(`Provided credential offer does not include the 'authorization_code' grant.`);
+    if (!options.credentialOffer.grants?.[import_oauth219.authorizationCodeGrantIdentifier]) {
+      throw new import_oauth219.Oauth2Error(`Provided credential offer does not include the 'authorization_code' grant.`);
     }
-    const authorizationCodeGrant = options.credentialOffer.grants[import_oauth218.authorizationCodeGrantIdentifier];
+    const authorizationCodeGrant = options.credentialOffer.grants[import_oauth219.authorizationCodeGrantIdentifier];
     const authorizationServer = determineAuthorizationServerForCredentialOffer({
       issuerMetadata: options.issuerMetadata,
       grantAuthorizationServer: authorizationCodeGrant.authorization_server
     });
-    const authorizationServerMetadata = (0, import_oauth218.getAuthorizationServerMetadataFromList)(
+    const authorizationServerMetadata = (0, import_oauth219.getAuthorizationServerMetadataFromList)(
       options.issuerMetadata.authorizationServers,
       authorizationServer
     );
-    const oauth2Client = new import_oauth218.Oauth2Client({ callbacks: this.options.callbacks });
+    const oauth2Client = new import_oauth219.Oauth2Client({ callbacks: this.options.callbacks });
     const { authorizationChallengeResponse, dpop } = await oauth2Client.sendAuthorizationChallengeRequest({
       authorizationServerMetadata,
       authSession: options.authSession,
@@ -1766,26 +1902,26 @@ var Openid4vciClient = class {
    *
    * In case the authorization challenge request returns an error with `insufficient_authorization`
    * with a `presentation` field it means the authorization server expects presentation of credentials
-   * before issuance of crednetials. If this is the case, the value in `presentation` should be treated
+   * before issuance of credentials. If this is the case, the value in `presentation` should be treated
    * as an openid4vp authorization request and submitted to the verifier. Once the presentation response
-   * has been submitted, the RP will respnosd with a `presentation_during_issuance_session` parameter.
+   * has been submitted, the RP will respond with a `presentation_during_issuance_session` parameter.
    * Together with the `auth_session` parameter returned in this call you can retrieve an `authorization_code`
    * using
    */
   async initiateAuthorization(options) {
-    if (!options.credentialOffer.grants?.[import_oauth218.authorizationCodeGrantIdentifier]) {
-      throw new import_oauth218.Oauth2Error(`Provided credential offer does not include the 'authorization_code' grant.`);
+    if (!options.credentialOffer.grants?.[import_oauth219.authorizationCodeGrantIdentifier]) {
+      throw new import_oauth219.Oauth2Error(`Provided credential offer does not include the 'authorization_code' grant.`);
     }
-    const authorizationCodeGrant = options.credentialOffer.grants[import_oauth218.authorizationCodeGrantIdentifier];
+    const authorizationCodeGrant = options.credentialOffer.grants[import_oauth219.authorizationCodeGrantIdentifier];
     const authorizationServer = determineAuthorizationServerForCredentialOffer({
       issuerMetadata: options.issuerMetadata,
       grantAuthorizationServer: authorizationCodeGrant.authorization_server
     });
-    const authorizationServerMetadata = (0, import_oauth218.getAuthorizationServerMetadataFromList)(
+    const authorizationServerMetadata = (0, import_oauth219.getAuthorizationServerMetadataFromList)(
       options.issuerMetadata.authorizationServers,
       authorizationServer
     );
-    const oauth2Client = new import_oauth218.Oauth2Client({ callbacks: this.options.callbacks });
+    const oauth2Client = new import_oauth219.Oauth2Client({ callbacks: this.options.callbacks });
     try {
       const result = await oauth2Client.initiateAuthorization({
         clientId: options.clientId,
@@ -1806,7 +1942,7 @@ var Openid4vciClient = class {
         authorizationServer: authorizationServerMetadata.issuer
       };
     } catch (error) {
-      if (error instanceof import_oauth218.Oauth2ClientAuthorizationChallengeError && error.errorResponse.error === import_oauth218.Oauth2ErrorCodes.InsufficientAuthorization && error.errorResponse.presentation) {
+      if (error instanceof import_oauth219.Oauth2ClientAuthorizationChallengeError && error.errorResponse.error === import_oauth219.Oauth2ErrorCodes.InsufficientAuthorization && error.errorResponse.presentation) {
         if (!error.errorResponse.auth_session) {
           throw new Openid4vciError(
             `Expected 'auth_session' to be defined with authorization challenge response error '${error.errorResponse.error}' and 'presentation' parameter`
@@ -1827,15 +1963,15 @@ var Openid4vciClient = class {
    * but specifically focused on a credential offer
    */
   async createAuthorizationRequestUrlFromOffer(options) {
-    if (!options.credentialOffer.grants?.[import_oauth218.authorizationCodeGrantIdentifier]) {
-      throw new import_oauth218.Oauth2Error(`Provided credential offer does not include the 'authorization_code' grant.`);
+    if (!options.credentialOffer.grants?.[import_oauth219.authorizationCodeGrantIdentifier]) {
+      throw new import_oauth219.Oauth2Error(`Provided credential offer does not include the 'authorization_code' grant.`);
     }
-    const authorizationCodeGrant = options.credentialOffer.grants[import_oauth218.authorizationCodeGrantIdentifier];
+    const authorizationCodeGrant = options.credentialOffer.grants[import_oauth219.authorizationCodeGrantIdentifier];
     const authorizationServer = determineAuthorizationServerForCredentialOffer({
       issuerMetadata: options.issuerMetadata,
       grantAuthorizationServer: authorizationCodeGrant.authorization_server
     });
-    const authorizationServerMetadata = (0, import_oauth218.getAuthorizationServerMetadataFromList)(
+    const authorizationServerMetadata = (0, import_oauth219.getAuthorizationServerMetadataFromList)(
       options.issuerMetadata.authorizationServers,
       authorizationServer
     );
@@ -1870,20 +2006,20 @@ var Openid4vciClient = class {
     txCode,
     dpop
   }) {
-    if (!credentialOffer.grants?.[import_oauth218.preAuthorizedCodeGrantIdentifier]) {
-      throw new import_oauth218.Oauth2Error(`The credential offer does not contain the '${import_oauth218.preAuthorizedCodeGrantIdentifier}' grant.`);
+    if (!credentialOffer.grants?.[import_oauth219.preAuthorizedCodeGrantIdentifier]) {
+      throw new import_oauth219.Oauth2Error(`The credential offer does not contain the '${import_oauth219.preAuthorizedCodeGrantIdentifier}' grant.`);
     }
-    if (credentialOffer.grants[import_oauth218.preAuthorizedCodeGrantIdentifier].tx_code && !txCode) {
-      throw new import_oauth218.Oauth2Error(
+    if (credentialOffer.grants[import_oauth219.preAuthorizedCodeGrantIdentifier].tx_code && !txCode) {
+      throw new import_oauth219.Oauth2Error(
         `Retrieving access token requires a 'tx_code' in the request, but the 'txCode' parameter was not provided.`
       );
     }
-    const preAuthorizedCode = credentialOffer.grants[import_oauth218.preAuthorizedCodeGrantIdentifier]["pre-authorized_code"];
+    const preAuthorizedCode = credentialOffer.grants[import_oauth219.preAuthorizedCodeGrantIdentifier]["pre-authorized_code"];
     const authorizationServer = determineAuthorizationServerForCredentialOffer({
-      grantAuthorizationServer: credentialOffer.grants[import_oauth218.preAuthorizedCodeGrantIdentifier].authorization_server,
+      grantAuthorizationServer: credentialOffer.grants[import_oauth219.preAuthorizedCodeGrantIdentifier].authorization_server,
       issuerMetadata
     });
-    const authorizationServerMetadata = (0, import_oauth218.getAuthorizationServerMetadataFromList)(
+    const authorizationServerMetadata = (0, import_oauth219.getAuthorizationServerMetadataFromList)(
       issuerMetadata.authorizationServers,
       authorizationServer
     );
@@ -1913,14 +2049,14 @@ var Openid4vciClient = class {
     redirectUri,
     dpop
   }) {
-    if (!credentialOffer.grants?.[import_oauth218.authorizationCodeGrantIdentifier]) {
-      throw new import_oauth218.Oauth2Error(`The credential offer does not contain the '${import_oauth218.authorizationCodeGrantIdentifier}' grant.`);
+    if (!credentialOffer.grants?.[import_oauth219.authorizationCodeGrantIdentifier]) {
+      throw new import_oauth219.Oauth2Error(`The credential offer does not contain the '${import_oauth219.authorizationCodeGrantIdentifier}' grant.`);
     }
     const authorizationServer = determineAuthorizationServerForCredentialOffer({
-      grantAuthorizationServer: credentialOffer.grants[import_oauth218.authorizationCodeGrantIdentifier].authorization_server,
+      grantAuthorizationServer: credentialOffer.grants[import_oauth219.authorizationCodeGrantIdentifier].authorization_server,
       issuerMetadata
     });
-    const authorizationServerMetadata = (0, import_oauth218.getAuthorizationServerMetadataFromList)(
+    const authorizationServerMetadata = (0, import_oauth219.getAuthorizationServerMetadataFromList)(
       issuerMetadata.authorizationServers,
       authorizationServer
     );
@@ -1942,7 +2078,7 @@ var Openid4vciClient = class {
    * Request a nonce to be used in credential request proofs from the `nonce_endpoint`
    *
    * @throws Openid4vciError - if no `nonce_endpoint` is configured in the issuer metadata
-   * @thrwos InvalidFetchResponseError - if the nonce endpoint did not return a succesfull response
+   * @throws InvalidFetchResponseError - if the nonce endpoint did not return a successful response
    * @throws ValidationError - if validating the nonce response failed
    */
   async requestNonce(options) {
@@ -1994,7 +2130,7 @@ var Openid4vciClient = class {
     };
   }
   /**
-   * @throws Openid4vciRetrieveCredentialsError - if an unsuccesfull response or the respnose couldn't be parsed as credential response
+   * @throws Openid4vciRetrieveCredentialsError - if an unsuccessful response or the response couldn't be parsed as credential response
    * @throws ValidationError - if validation of the credential request failed
    * @throws Openid4vciError - if the `credentialConfigurationId` couldn't be found, or if the the format specific request couldn't be constructed
    */
@@ -2008,7 +2144,7 @@ var Openid4vciClient = class {
     dpop
   }) {
     let credentialResponse;
-    if (issuerMetadata.originalDraftVersion === "Draft15" /* Draft15 */) {
+    if (issuerMetadata.originalDraftVersion === "Draft15" /* Draft15 */ || issuerMetadata.originalDraftVersion === "Draft16" /* Draft16 */) {
       credentialResponse = await retrieveCredentialsWithCredentialConfigurationId({
         accessToken,
         credentialConfigurationId,
@@ -2045,7 +2181,25 @@ var Openid4vciClient = class {
     return credentialResponse;
   }
   /**
-   * @throws Openid4vciSendNotificationError - if an unsuccesfull response
+   * @throws Openid4vciRetrieveCredentialsError - if an unsuccessful response or the response couldn't be parsed as credential response
+   * @throws ValidationError - if validation of the credential request failed
+   */
+  async retrieveDeferredCredentials(options) {
+    const credentialResponse = await retrieveDeferredCredentials({
+      ...options,
+      callbacks: this.options.callbacks
+    });
+    if (!credentialResponse.ok) {
+      throw new Openid4vciRetrieveCredentialsError(
+        `Error retrieving deferred credentials from '${options.issuerMetadata.credentialIssuer.credential_issuer}'`,
+        credentialResponse,
+        await credentialResponse.response.clone().text()
+      );
+    }
+    return credentialResponse;
+  }
+  /**
+   * @throws Openid4vciSendNotificationError - if an unsuccessful response
    * @throws ValidationError - if validation of the notification request failed
    */
   async sendNotification({
@@ -2055,7 +2209,7 @@ var Openid4vciClient = class {
     accessToken,
     dpop
   }) {
-    const notificationResponse = await sendNotifcation({
+    const notificationResponse = await sendNotification({
       accessToken,
       issuerMetadata,
       additionalRequestPayload,
@@ -2074,8 +2228,8 @@ var Openid4vciClient = class {
 };
 // src/Openid4vciIssuer.ts
-var import_oauth219 = require("@openid4vc/oauth2");
-var import_utils20 = require("@openid4vc/utils");
+var import_oauth220 = require("@openid4vc/oauth2");
+var import_utils21 = require("@openid4vc/utils");
 // src/credential-request/credential-response.ts
 var import_utils18 = require("@openid4vc/utils");
@@ -2086,6 +2240,8 @@ function createCredentialResponse(options) {
     credential: options.credential,
     credentials: options.credentials,
     notification_id: options.notificationId,
+    transaction_id: options.transactionId,
+    interval: options.interval,
     // NOTE `format` is removed in draft 13. For now if a format was requested
     // we just always return it in the response as well.
     format: options.credentialRequest.format?.format,
@@ -2093,6 +2249,14 @@ function createCredentialResponse(options) {
   });
   return credentialResponse;
 }
+function createDeferredCredentialResponse(options) {
+  return (0, import_utils18.parseWithErrorHandling)(zDeferredCredentialResponse, {
+    credentials: options.credentials,
+    notification_id: options.notificationId,
+    interval: options.interval,
+    ...options.additionalPayload
+  });
+}
 // src/credential-request/parse-credential-request.ts
 var import_utils19 = require("@openid4vc/utils");
@@ -2156,6 +2320,19 @@ function parseCredentialRequest(options) {
   };
 }
+// src/credential-request/parse-deferred-credential-request.ts
+var import_utils20 = require("@openid4vc/utils");
+function parseDeferredCredentialRequest(options) {
+  const deferredCredentialRequest = (0, import_utils20.parseWithErrorHandling)(
+    zDeferredCredentialRequest,
+    options.deferredCredentialRequest,
+    "Error validating credential request"
+  );
+  return {
+    deferredCredentialRequest
+  };
+}
 // src/formats/proof-type/attestation/attestation-proof-type.ts
 async function verifyCredentialRequestAttestationProof(options) {
   const verificationResult = await verifyKeyAttestationJwt({
@@ -2171,7 +2348,7 @@ var Openid4vciIssuer = class {
     this.options = options;
   }
   getCredentialIssuerMetadataDraft11(credentialIssuerMetadata) {
-    return (0, import_utils20.parseWithErrorHandling)(zCredentialIssuerMetadataWithDraft11, credentialIssuerMetadata);
+    return (0, import_utils21.parseWithErrorHandling)(zCredentialIssuerMetadataWithDraft11, credentialIssuerMetadata);
   }
   getKnownCredentialConfigurationsSupported(credentialIssuerMetadata) {
     return extractKnownCredentialConfigurationSupportedFormats(
@@ -2182,7 +2359,7 @@ var Openid4vciIssuer = class {
    * Create issuer metadata and validates the structure is correct
    */
   createCredentialIssuerMetadata(credentialIssuerMetadata) {
-    return (0, import_utils20.parseWithErrorHandling)(
+    return (0, import_utils21.parseWithErrorHandling)(
       zCredentialIssuerMetadata,
       credentialIssuerMetadata,
       "Error validating credential issuer metadata"
@@ -2215,12 +2392,12 @@ var Openid4vciIssuer = class {
         now: options.now
       });
     } catch (error) {
-      throw new import_oauth219.Oauth2ServerErrorResponseError(
+      throw new import_oauth220.Oauth2ServerErrorResponseError(
         {
-          error: import_oauth219.Oauth2ErrorCodes.InvalidProof,
+          error: import_oauth220.Oauth2ErrorCodes.InvalidProof,
           error_description: (
-            // TOOD: error should have a internalErrorMessage and a publicErrorMessage
-            error instanceof import_oauth219.Oauth2JwtVerificationError || error instanceof Openid4vciError ? error.message : "Invalid proof"
+            // TODO: error should have a internalErrorMessage and a publicErrorMessage
+            error instanceof import_oauth220.Oauth2JwtVerificationError || error instanceof Openid4vciError ? error.message : "Invalid proof"
           )
         },
         {
@@ -2244,12 +2421,12 @@ var Openid4vciIssuer = class {
         now: options.now
       });
     } catch (error) {
-      throw new import_oauth219.Oauth2ServerErrorResponseError(
+      throw new import_oauth220.Oauth2ServerErrorResponseError(
         {
-          error: import_oauth219.Oauth2ErrorCodes.InvalidProof,
+          error: import_oauth220.Oauth2ErrorCodes.InvalidProof,
           error_description: (
-            // TOOD: error should have a internalErrorMessage and a publicErrorMessage
-            error instanceof import_oauth219.Oauth2JwtVerificationError || error instanceof Openid4vciError ? error.message : "Invalid proof"
+            // TODO: error should have a internalErrorMessage and a publicErrorMessage
+            error instanceof import_oauth220.Oauth2JwtVerificationError || error instanceof Openid4vciError ? error.message : "Invalid proof"
           )
         },
         {
@@ -2267,12 +2444,12 @@ var Openid4vciIssuer = class {
     try {
       return parseCredentialRequest(options);
     } catch (error) {
-      throw new import_oauth219.Oauth2ServerErrorResponseError(
+      throw new import_oauth220.Oauth2ServerErrorResponseError(
         {
-          error: import_oauth219.Oauth2ErrorCodes.InvalidCredentialRequest,
+          error: import_oauth220.Oauth2ErrorCodes.InvalidCredentialRequest,
           error_description: (
             // TODO: error should have a internalErrorMessage and a publicErrorMessage
-            error instanceof import_utils20.ValidationError ? error.message : "Invalid request"
+            error instanceof import_utils21.ValidationError ? error.message : "Invalid request"
           )
         },
         {
@@ -2282,12 +2459,37 @@ var Openid4vciIssuer = class {
       );
     }
   }
+  /**
+   * @throws Oauth2ServerErrorResponseError - when validation of the deferred credential request fails
+   */
+  parseDeferredCredentialRequest(options) {
+    try {
+      return parseDeferredCredentialRequest(options);
+    } catch (error) {
+      throw new import_oauth220.Oauth2ServerErrorResponseError(
+        {
+          error: import_oauth220.Oauth2ErrorCodes.InvalidCredentialRequest,
+          error_description: error instanceof import_utils21.ValidationError ? error.message : "Invalid request"
+        },
+        {
+          internalMessage: "Error parsing deferred credential request",
+          cause: error
+        }
+      );
+    }
+  }
   /**
    * @throws ValidationError - when validation of the credential response fails
    */
   createCredentialResponse(options) {
     return createCredentialResponse(options);
   }
+  /**
+   * @throws ValidationError - when validation of the credential response fails
+   */
+  createDeferredCredentialResponse(options) {
+    return createDeferredCredentialResponse(options);
+  }
   /**
    * @throws ValidationError - when validation of the nonce response fails
    */
@@ -2295,14 +2497,14 @@ var Openid4vciIssuer = class {
     return createNonceResponse(options);
   }
   async verifyWalletAttestation(options) {
-    return new import_oauth219.Oauth2AuthorizationServer({
+    return new import_oauth220.Oauth2AuthorizationServer({
       callbacks: this.options.callbacks
     }).verifyClientAttestation(options);
   }
 };
 // src/Openid4vciWalletProvider.ts
-var import_oauth220 = require("@openid4vc/oauth2");
+var import_oauth221 = require("@openid4vc/oauth2");
 var Openid4vciWalletProvider = class {
   constructor(options) {
     this.options = options;
@@ -2316,7 +2518,7 @@ var Openid4vciWalletProvider = class {
       wallet_name: options.walletName,
       wallet_link: options.walletLink
     };
-    return await (0, import_oauth220.createClientAttestationJwt)({
+    return await (0, import_oauth221.createClientAttestationJwt)({
       ...options,
       callbacks: this.options.callbacks,
       additionalPayload