@openid4vc/openid4vci 0.3.0-alpha-20251021081452 → 0.3.0-alpha-20251021082313

package/dist/index.d.ts

@@ -1,6 +1,6 @@
 import { ContentType, Fetch, FetchHeaders, HttpMethod, InferOutputUnion, Oid4vcTsConfig, OrPromise, StringWithAutoCompletion, getGlobalConfig, setGlobalConfig } from "@openid4vc/utils";
-import * as _openid4vc_oauth23 from "@openid4vc/oauth2";
-import { AuthorizationCodeGrantIdentifier, AuthorizationServerMetadata, CallbackContext, CreateAuthorizationRequestUrlOptions, CreateClientAttestationJwtOptions, CreatePkceReturn, Jwk, JwtSigner, PreAuthorizedCodeGrantIdentifier, RequestDpopOptions, ResourceRequestResponseNotOk, ResourceRequestResponseOk, RetrieveAuthorizationCodeAccessTokenOptions, RetrievePreAuthorizedCodeAccessTokenOptions, authorizationCodeGrantIdentifier, preAuthorizedCodeGrantIdentifier } from "@openid4vc/oauth2";
+import * as _openid4vc_oauth20 from "@openid4vc/oauth2";
+import { AuthorizationCodeGrantIdentifier, AuthorizationServerMetadata, CallbackContext, CreateAuthorizationRequestUrlOptions, CreateClientAttestationJwtOptions, CreatePkceReturn, DecodeJwtResult, Jwk, JwtSigner, JwtSignerWithJwk, PreAuthorizedCodeGrantIdentifier, RequestDpopOptions, ResourceRequestResponseNotOk, ResourceRequestResponseOk, RetrieveAuthorizationCodeAccessTokenOptions, RetrievePreAuthorizedCodeAccessTokenOptions, authorizationCodeGrantIdentifier, preAuthorizedCodeGrantIdentifier } from "@openid4vc/oauth2";
 import * as zod0 from "zod";
 import z from "zod";
 import * as zod_v4_core0 from "zod/v4/core";
@@ -1662,10 +1662,334 @@ declare const zCredentialConfigurationSupportedDraft11To16: z.ZodPipe<z.ZodPipe<
   credential_metadata?: undefined;
 }>>>;
 //#endregion
+//#region src/metadata/credential-issuer/z-signed-credential-issuer-metadata.d.ts
+declare const zSignedCredentialIssuerMetadataHeader: z.ZodObject<{
+  typ: z.ZodLiteral<"openidvci-issuer-metadata+jwt">;
+  alg: z.ZodString;
+  kid: z.ZodOptional<z.ZodString>;
+  jwk: z.ZodOptional<z.ZodObject<{
+    kty: z.ZodString;
+    crv: z.ZodOptional<z.ZodString>;
+    x: z.ZodOptional<z.ZodString>;
+    y: z.ZodOptional<z.ZodString>;
+    e: z.ZodOptional<z.ZodString>;
+    n: z.ZodOptional<z.ZodString>;
+    alg: z.ZodOptional<z.ZodString>;
+    d: z.ZodOptional<z.ZodString>;
+    dp: z.ZodOptional<z.ZodString>;
+    dq: z.ZodOptional<z.ZodString>;
+    ext: z.ZodOptional<z.ZodBoolean>;
+    k: z.ZodOptional<z.ZodString>;
+    key_ops: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    kid: z.ZodOptional<z.ZodString>;
+    oth: z.ZodOptional<z.ZodArray<z.ZodObject<{
+      d: z.ZodOptional<z.ZodString>;
+      r: z.ZodOptional<z.ZodString>;
+      t: z.ZodOptional<z.ZodString>;
+    }, z.core.$loose>>>;
+    p: z.ZodOptional<z.ZodString>;
+    q: z.ZodOptional<z.ZodString>;
+    qi: z.ZodOptional<z.ZodString>;
+    use: z.ZodOptional<z.ZodString>;
+    x5c: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    x5t: z.ZodOptional<z.ZodString>;
+    'x5t#S256': z.ZodOptional<z.ZodString>;
+    x5u: z.ZodOptional<z.ZodString>;
+  }, z.core.$loose>>;
+  x5c: z.ZodOptional<z.ZodArray<z.ZodString>>;
+  trust_chain: z.ZodOptional<z.ZodTuple<[z.ZodString], z.ZodString>>;
+}, z.core.$loose>;
+declare const zSignedCredentialIssuerMetadataPayload: z.ZodObject<{
+  credential_issuer: z.ZodString;
+  authorization_servers: z.ZodOptional<z.ZodArray<z.ZodString>>;
+  credential_endpoint: z.ZodString;
+  deferred_credential_endpoint: z.ZodOptional<z.ZodString>;
+  notification_endpoint: z.ZodOptional<z.ZodString>;
+  nonce_endpoint: z.ZodOptional<z.ZodString>;
+  credential_response_encryption: z.ZodOptional<z.ZodObject<{
+    alg_values_supported: z.ZodArray<z.ZodString>;
+    enc_values_supported: z.ZodArray<z.ZodString>;
+    encryption_required: z.ZodBoolean;
+  }, z.core.$loose>>;
+  batch_credential_issuance: z.ZodOptional<z.ZodObject<{
+    batch_size: z.ZodNumber;
+  }, z.core.$loose>>;
+  display: z.ZodOptional<z.ZodArray<z.ZodObject<{
+    name: z.ZodOptional<z.ZodString>;
+    locale: z.ZodOptional<z.ZodString>;
+    logo: z.ZodOptional<z.ZodObject<{
+      uri: z.ZodOptional<z.ZodString>;
+      alt_text: z.ZodOptional<z.ZodString>;
+    }, z.core.$loose>>;
+  }, z.core.$loose>>>;
+  credential_configurations_supported: z.ZodRecord<z.ZodString, z.ZodPipe<z.ZodUnion<readonly [z.ZodObject<{
+    format: z.ZodString;
+    scope: z.ZodOptional<z.ZodString>;
+    cryptographic_binding_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    credential_signing_alg_values_supported: z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString>, z.ZodArray<z.ZodNumber>]>>;
+    proof_types_supported: z.ZodOptional<z.ZodRecord<z.ZodUnion<readonly [z.ZodLiteral<"jwt">, z.ZodLiteral<"attestation">, z.ZodString]>, z.ZodObject<{
+      proof_signing_alg_values_supported: z.ZodArray<z.ZodString>;
+      key_attestations_required: z.ZodOptional<z.ZodObject<{
+        key_storage: z.ZodOptional<z.ZodArray<z.ZodUnion<readonly [z.ZodEnum<{
+          iso_18045_high: "iso_18045_high";
+          iso_18045_moderate: "iso_18045_moderate";
+          "iso_18045_enhanced-basic": "iso_18045_enhanced-basic";
+          iso_18045_basic: "iso_18045_basic";
+        }>, z.ZodString]>>>;
+        user_authentication: z.ZodOptional<z.ZodArray<z.ZodUnion<readonly [z.ZodEnum<{
+          iso_18045_high: "iso_18045_high";
+          iso_18045_moderate: "iso_18045_moderate";
+          "iso_18045_enhanced-basic": "iso_18045_enhanced-basic";
+          iso_18045_basic: "iso_18045_basic";
+        }>, z.ZodString]>>>;
+      }, z.core.$loose>>;
+    }, z.core.$strip>>>;
+    credential_metadata: z.ZodOptional<z.ZodObject<{
+      display: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        name: z.ZodString;
+        locale: z.ZodOptional<z.ZodString>;
+        logo: z.ZodOptional<z.ZodObject<{
+          uri: z.ZodOptional<z.ZodString>;
+          alt_text: z.ZodOptional<z.ZodString>;
+        }, z.core.$loose>>;
+        description: z.ZodOptional<z.ZodString>;
+        background_color: z.ZodOptional<z.ZodString>;
+        background_image: z.ZodOptional<z.ZodObject<{
+          uri: z.ZodOptional<z.ZodString>;
+        }, z.core.$loose>>;
+        text_color: z.ZodOptional<z.ZodString>;
+      }, z.core.$loose>>>;
+    }, z.core.$strip>>;
+    claims: z.ZodOptional<z.ZodNever>;
+  }, z.core.$loose>, z.ZodObject<{
+    format: z.ZodString;
+    scope: z.ZodOptional<z.ZodString>;
+    cryptographic_binding_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    credential_signing_alg_values_supported: z.ZodOptional<z.ZodUnion<[z.ZodArray<z.ZodString>, z.ZodArray<z.ZodNumber>]>>;
+    proof_types_supported: z.ZodOptional<z.ZodRecord<z.ZodUnion<readonly [z.ZodLiteral<"jwt">, z.ZodLiteral<"attestation">, z.ZodString]>, z.ZodObject<{
+      proof_signing_alg_values_supported: z.ZodArray<z.ZodString>;
+      key_attestations_required: z.ZodOptional<z.ZodObject<{
+        key_storage: z.ZodOptional<z.ZodArray<z.ZodUnion<readonly [z.ZodEnum<{
+          iso_18045_high: "iso_18045_high";
+          iso_18045_moderate: "iso_18045_moderate";
+          "iso_18045_enhanced-basic": "iso_18045_enhanced-basic";
+          iso_18045_basic: "iso_18045_basic";
+        }>, z.ZodString]>>>;
+        user_authentication: z.ZodOptional<z.ZodArray<z.ZodUnion<readonly [z.ZodEnum<{
+          iso_18045_high: "iso_18045_high";
+          iso_18045_moderate: "iso_18045_moderate";
+          "iso_18045_enhanced-basic": "iso_18045_enhanced-basic";
+          iso_18045_basic: "iso_18045_basic";
+        }>, z.ZodString]>>>;
+      }, z.core.$loose>>;
+    }, z.core.$strip>>>;
+    display: z.ZodOptional<z.ZodArray<z.ZodObject<{
+      name: z.ZodString;
+      locale: z.ZodOptional<z.ZodString>;
+      logo: z.ZodOptional<z.ZodObject<{
+        uri: z.ZodOptional<z.ZodString>;
+        alt_text: z.ZodOptional<z.ZodString>;
+      }, z.core.$loose>>;
+      description: z.ZodOptional<z.ZodString>;
+      background_color: z.ZodOptional<z.ZodString>;
+      background_image: z.ZodOptional<z.ZodObject<{
+        uri: z.ZodOptional<z.ZodString>;
+      }, z.core.$loose>>;
+      text_color: z.ZodOptional<z.ZodString>;
+    }, z.core.$loose>>>;
+    credential_metadata: z.ZodOptional<z.ZodNever>;
+  }, z.core.$loose>]>, z.ZodTransform<{
+    [x: string]: unknown;
+    format: string;
+    scope?: string | undefined;
+    cryptographic_binding_methods_supported?: string[] | undefined;
+    credential_signing_alg_values_supported?: string[] | number[] | undefined;
+    proof_types_supported?: Record<string, {
+      proof_signing_alg_values_supported: string[];
+      key_attestations_required?: {
+        [x: string]: unknown;
+        key_storage?: string[] | undefined;
+        user_authentication?: string[] | undefined;
+      } | undefined;
+    }> | undefined;
+    credential_metadata?: {
+      display?: {
+        [x: string]: unknown;
+        name: string;
+        locale?: string | undefined;
+        logo?: {
+          [x: string]: unknown;
+          uri?: string | undefined;
+          alt_text?: string | undefined;
+        } | undefined;
+        description?: string | undefined;
+        background_color?: string | undefined;
+        background_image?: {
+          [x: string]: unknown;
+          uri?: string | undefined;
+        } | undefined;
+        text_color?: string | undefined;
+      }[] | undefined;
+    } | undefined;
+    claims?: undefined;
+  } | {
+    [x: string]: unknown;
+    format: string;
+    scope?: string | undefined;
+    cryptographic_binding_methods_supported?: string[] | undefined;
+    credential_signing_alg_values_supported?: string[] | number[] | undefined;
+    proof_types_supported?: Record<string, {
+      proof_signing_alg_values_supported: string[];
+      key_attestations_required?: {
+        [x: string]: unknown;
+        key_storage?: string[] | undefined;
+        user_authentication?: string[] | undefined;
+      } | undefined;
+    }> | undefined;
+    display?: {
+      [x: string]: unknown;
+      name: string;
+      locale?: string | undefined;
+      logo?: {
+        [x: string]: unknown;
+        uri?: string | undefined;
+        alt_text?: string | undefined;
+      } | undefined;
+      description?: string | undefined;
+      background_color?: string | undefined;
+      background_image?: {
+        [x: string]: unknown;
+        uri?: string | undefined;
+      } | undefined;
+      text_color?: string | undefined;
+    }[] | undefined;
+    credential_metadata?: undefined;
+  }, {
+    [x: string]: unknown;
+    format: string;
+    scope?: string | undefined;
+    cryptographic_binding_methods_supported?: string[] | undefined;
+    credential_signing_alg_values_supported?: string[] | number[] | undefined;
+    proof_types_supported?: Record<string, {
+      proof_signing_alg_values_supported: string[];
+      key_attestations_required?: {
+        [x: string]: unknown;
+        key_storage?: string[] | undefined;
+        user_authentication?: string[] | undefined;
+      } | undefined;
+    }> | undefined;
+    credential_metadata?: {
+      display?: {
+        [x: string]: unknown;
+        name: string;
+        locale?: string | undefined;
+        logo?: {
+          [x: string]: unknown;
+          uri?: string | undefined;
+          alt_text?: string | undefined;
+        } | undefined;
+        description?: string | undefined;
+        background_color?: string | undefined;
+        background_image?: {
+          [x: string]: unknown;
+          uri?: string | undefined;
+        } | undefined;
+        text_color?: string | undefined;
+      }[] | undefined;
+    } | undefined;
+    claims?: undefined;
+  } | {
+    [x: string]: unknown;
+    format: string;
+    scope?: string | undefined;
+    cryptographic_binding_methods_supported?: string[] | undefined;
+    credential_signing_alg_values_supported?: string[] | number[] | undefined;
+    proof_types_supported?: Record<string, {
+      proof_signing_alg_values_supported: string[];
+      key_attestations_required?: {
+        [x: string]: unknown;
+        key_storage?: string[] | undefined;
+        user_authentication?: string[] | undefined;
+      } | undefined;
+    }> | undefined;
+    display?: {
+      [x: string]: unknown;
+      name: string;
+      locale?: string | undefined;
+      logo?: {
+        [x: string]: unknown;
+        uri?: string | undefined;
+        alt_text?: string | undefined;
+      } | undefined;
+      description?: string | undefined;
+      background_color?: string | undefined;
+      background_image?: {
+        [x: string]: unknown;
+        uri?: string | undefined;
+      } | undefined;
+      text_color?: string | undefined;
+    }[] | undefined;
+    credential_metadata?: undefined;
+  }>>>;
+  iat: z.ZodNumber;
+  sub: z.ZodString;
+  iss: z.ZodOptional<z.ZodString>;
+  aud: z.ZodOptional<z.ZodString>;
+  exp: z.ZodOptional<z.ZodNumber>;
+  nbf: z.ZodOptional<z.ZodNumber>;
+  nonce: z.ZodOptional<z.ZodString>;
+  jti: z.ZodOptional<z.ZodString>;
+  cnf: z.ZodOptional<z.ZodObject<{
+    jwk: z.ZodOptional<z.ZodObject<{
+      kty: z.ZodString;
+      crv: z.ZodOptional<z.ZodString>;
+      x: z.ZodOptional<z.ZodString>;
+      y: z.ZodOptional<z.ZodString>;
+      e: z.ZodOptional<z.ZodString>;
+      n: z.ZodOptional<z.ZodString>;
+      alg: z.ZodOptional<z.ZodString>;
+      d: z.ZodOptional<z.ZodString>;
+      dp: z.ZodOptional<z.ZodString>;
+      dq: z.ZodOptional<z.ZodString>;
+      ext: z.ZodOptional<z.ZodBoolean>;
+      k: z.ZodOptional<z.ZodString>;
+      key_ops: z.ZodOptional<z.ZodArray<z.ZodString>>;
+      kid: z.ZodOptional<z.ZodString>;
+      oth: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        d: z.ZodOptional<z.ZodString>;
+        r: z.ZodOptional<z.ZodString>;
+        t: z.ZodOptional<z.ZodString>;
+      }, z.core.$loose>>>;
+      p: z.ZodOptional<z.ZodString>;
+      q: z.ZodOptional<z.ZodString>;
+      qi: z.ZodOptional<z.ZodString>;
+      use: z.ZodOptional<z.ZodString>;
+      x5c: z.ZodOptional<z.ZodArray<z.ZodString>>;
+      x5t: z.ZodOptional<z.ZodString>;
+      'x5t#S256': z.ZodOptional<z.ZodString>;
+      x5u: z.ZodOptional<z.ZodString>;
+    }, z.core.$loose>>;
+    jkt: z.ZodOptional<z.ZodString>;
+  }, z.core.$loose>>;
+  status: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
+  trust_chain: z.ZodOptional<z.ZodTuple<[z.ZodString], z.ZodString>>;
+}, z.core.$loose>;
+//#endregion
+//#region src/metadata/credential-issuer/credential-issuer-metadata.d.ts
+interface CredentialIssuerMetadataSigned {
+  jwt: DecodeJwtResult<typeof zSignedCredentialIssuerMetadataHeader, typeof zSignedCredentialIssuerMetadataPayload>;
+  signer: JwtSignerWithJwk;
+}
+//#endregion
 //#region src/metadata/fetch-issuer-metadata.d.ts
 interface IssuerMetadataResult {
-  originalDraftVersion?: Openid4vciDraftVersion;
+  originalDraftVersion: Openid4vciDraftVersion;
   credentialIssuer: CredentialIssuerMetadata;
+  /**
+   * Metadata about the signed credential issuer metadata,
+   * if the issuer metadata was signed
+   */
+  signedCredentialIssuer?: CredentialIssuerMetadataSigned;
   authorizationServers: AuthorizationServerMetadata[];
 }
 //#endregion
@@ -2725,7 +3049,7 @@ interface ParseKeyAttestationJwtOptions {
 declare function parseKeyAttestationJwt({
   keyAttestationJwt,
   use
-}: ParseKeyAttestationJwtOptions): _openid4vc_oauth23.DecodeJwtResult<zod0.ZodObject<{
+}: ParseKeyAttestationJwtOptions): _openid4vc_oauth20.DecodeJwtResult<zod0.ZodObject<{
   typ: zod0.ZodUnion<[zod0.ZodLiteral<"keyattestation+jwt">, zod0.ZodLiteral<"key-attestation+jwt">]>;
   alg: zod0.ZodString;
   kid: zod0.ZodOptional<zod0.ZodString>;
@@ -2997,7 +3321,7 @@ declare function verifyKeyAttestationJwt(options: VerifyKeyAttestationJwtOptions
     status?: Record<string, any> | undefined;
     trust_chain?: [string, ...string[]] | undefined;
   };
-  signer: _openid4vc_oauth23.JwtSignerWithJwk;
+  signer: _openid4vc_oauth20.JwtSignerWithJwk;
 }>;
 //#endregion
 //#region src/metadata/credential-issuer/credential-configurations.d.ts
@@ -3162,7 +3486,7 @@ declare class Openid4vciClient {
     };
     dpop: {
       nonce: string | undefined;
-      signer: _openid4vc_oauth23.JwtSignerJwk;
+      signer: _openid4vc_oauth20.JwtSignerJwk;
     } | undefined;
   }>;
   /**
@@ -3221,7 +3545,7 @@ declare class Openid4vciClient {
     issuerMetadata: IssuerMetadataResult;
   }): Promise<{
     authorizationServer: string;
-    accessTokenResponse: _openid4vc_oauth23.AccessTokenResponse;
+    accessTokenResponse: _openid4vc_oauth20.AccessTokenResponse;
     dpop?: RequestDpopOptions;
   }>;
   /**
@@ -3241,7 +3565,7 @@ declare class Openid4vciClient {
     issuerMetadata: IssuerMetadataResult;
   }): Promise<{
     authorizationServer: string;
-    accessTokenResponse: _openid4vc_oauth23.AccessTokenResponse;
+    accessTokenResponse: _openid4vc_oauth20.AccessTokenResponse;
     dpop?: RequestDpopOptions;
   }>;
   /**
@@ -3296,7 +3620,7 @@ declare class Openid4vciClient {
     additionalRequestPayload,
     accessToken,
     dpop
-  }: Pick<SendNotificationOptions, 'accessToken' | 'additionalRequestPayload' | 'issuerMetadata' | 'dpop' | 'notification'>): Promise<_openid4vc_oauth23.ResourceRequestResponseOk>;
+  }: Pick<SendNotificationOptions, 'accessToken' | 'additionalRequestPayload' | 'issuerMetadata' | 'dpop' | 'notification'>): Promise<_openid4vc_oauth20.ResourceRequestResponseOk>;
 }
 //#endregion
 //#region ../oauth2/src/common/jwk/z-jwk.d.ts
@@ -3715,6 +4039,39 @@ interface ParseDeferredCredentialRequestReturn {
 //#region src/formats/proof-type/attestation/attestation-proof-type.d.ts
 interface VerifyCredentialRequestAttestationProofOptions extends Omit<VerifyKeyAttestationJwtOptions, 'use'> {}
 //#endregion
+//#region src/metadata/credential-issuer/signed-credential-issuer-metadata.d.ts
+interface CreateSignedCredentialIssuerMetadataJwtOptions {
+  /**
+   * The credential issuer metadata to include in the jwt
+   */
+  credentialIssuerMetadata: CredentialIssuerMetadata;
+  /**
+   * The date when the credential issuer metadata was issued. If not provided the current time will be used.
+   */
+  issuedAt?: Date;
+  /**
+   * The date when the credential issuer metadata will expire.
+   */
+  expiresAt?: Date;
+  /**
+   * Signer of the credential issuer metadata jwt
+   */
+  signer: JwtSigner;
+  /**
+   * The issuer of the issuer metadata jwt. This field is optional
+   */
+  issuer?: string;
+  /**
+   * Callbacks used for creating the credential issuer metadata jwt
+   */
+  callbacks: Pick<CallbackContext, 'signJwt'>;
+  /**
+   * Additional payload to include in the credential issuer metadata jwt payload. Will be applied after
+   * any default claims that are included, so add claims with caution.
+   */
+  additionalPayload?: Record<string, unknown>;
+}
+//#endregion
 //#region src/Openid4vciIssuer.d.ts
 interface Openid4vciIssuerOptions {
   /**
@@ -3877,6 +4234,10 @@ declare class Openid4vciIssuer {
    * Create issuer metadata and validates the structure is correct
    */
   createCredentialIssuerMetadata(credentialIssuerMetadata: CredentialIssuerMetadata): CredentialIssuerMetadata;
+  /**
+   * Validates credential issuer metadata structure is correct and creates signed credential issuer metadata JWT
+   */
+  createSignedCredentialIssuerMetadataJwt(options: Omit<CreateSignedCredentialIssuerMetadataJwtOptions, 'callbacks'>): Promise<string>;
   createCredentialOffer(options: Pick<CreateCredentialOfferOptions, 'issuerMetadata' | 'additionalPayload' | 'grants' | 'credentialOfferUri' | 'credentialOfferScheme' | 'credentialConfigurationIds'>): Promise<{
     credentialOffer: string;
     credentialOfferObject: CredentialOfferObject;
@@ -3975,7 +4336,7 @@ declare class Openid4vciIssuer {
       status?: Record<string, any> | undefined;
       trust_chain?: [string, ...string[]] | undefined;
     };
-    signer: _openid4vc_oauth23.JwtSignerWithJwk;
+    signer: _openid4vc_oauth20.JwtSignerWithJwk;
     keyAttestation: {
       header: {
         [x: string]: unknown;
@@ -4097,7 +4458,7 @@ declare class Openid4vciIssuer {
         status?: Record<string, any> | undefined;
         trust_chain?: [string, ...string[]] | undefined;
       };
-      signer: _openid4vc_oauth23.JwtSignerWithJwk;
+      signer: _openid4vc_oauth20.JwtSignerWithJwk;
     } | undefined;
   }>;
   /**
@@ -4227,7 +4588,7 @@ declare class Openid4vciIssuer {
       status?: Record<string, any> | undefined;
       trust_chain?: [string, ...string[]] | undefined;
     };
-    signer: _openid4vc_oauth23.JwtSignerWithJwk;
+    signer: _openid4vc_oauth20.JwtSignerWithJwk;
   }>;
   /**
    * @throws Oauth2ServerErrorResponseError - when validation of the credential request fails
@@ -4363,7 +4724,7 @@ declare class Openid4vciIssuer {
         status?: Record<string, any> | undefined;
         trust_chain?: [string, ...string[]] | undefined;
       };
-      signer: _openid4vc_oauth23.JwtSignerWithJwk;
+      signer: _openid4vc_oauth20.JwtSignerWithJwk;
     };
     clientAttestationPop: {
       header: {
@@ -4452,7 +4813,7 @@ declare class Openid4vciIssuer {
         status?: Record<string, any> | undefined;
         trust_chain?: [string, ...string[]] | undefined;
       };
-      signer: _openid4vc_oauth23.JwtSignerWithJwk;
+      signer: _openid4vc_oauth20.JwtSignerWithJwk;
     };
   }>;
 }

package/dist/index.js

@@ -759,20 +759,76 @@ const zCredentialIssuerMetadataWithDraftVersion = zod.default.union([zCredential
 	originalDraftVersion: Openid4vciDraftVersion.Draft11
 }))]);
 
+//#endregion
+//#region src/metadata/credential-issuer/z-signed-credential-issuer-metadata.ts
+const zSignedCredentialIssuerMetadataHeader = zod.default.object({
+	...__openid4vc_oauth2.zJwtHeader.shape,
+	typ: zod.default.literal("openidvci-issuer-metadata+jwt")
+}).loose();
+const zSignedCredentialIssuerMetadataPayload = zod.default.object({
+	...__openid4vc_oauth2.zJwtPayload.shape,
+	iat: __openid4vc_utils.zInteger,
+	sub: zod.default.string(),
+	...zCredentialIssuerMetadataDraft14Draft15V1.shape
+}).loose();
+
 //#endregion
 //#region src/metadata/credential-issuer/credential-issuer-metadata.ts
 const wellKnownCredentialIssuerSuffix = ".well-known/openid-credential-issuer";
 /**
 * @inheritdoc {@link fetchWellKnownMetadata}
 */
-async function fetchCredentialIssuerMetadata(credentialIssuer, fetch) {
+async function fetchCredentialIssuerMetadata(credentialIssuer, options) {
 	const parsedIssuerUrl = new __openid4vc_utils.URL(credentialIssuer);
 	const legacyWellKnownMetadataUrl = (0, __openid4vc_utils.joinUriParts)(credentialIssuer, [wellKnownCredentialIssuerSuffix]);
 	const wellKnownMetadataUrl = (0, __openid4vc_utils.joinUriParts)(parsedIssuerUrl.origin, [wellKnownCredentialIssuerSuffix, parsedIssuerUrl.pathname]);
-	let result = await (0, __openid4vc_oauth2.fetchWellKnownMetadata)(wellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
-	if (!result && legacyWellKnownMetadataUrl !== wellKnownMetadataUrl) result = await (0, __openid4vc_oauth2.fetchWellKnownMetadata)(legacyWellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
-	if (result && result.credentialIssuerMetadata.credential_issuer !== credentialIssuer) throw new __openid4vc_oauth2.Oauth2Error(`The 'credential_issuer' parameter '${result.credentialIssuerMetadata.credential_issuer}' in the well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`);
-	return result;
+	const acceptedContentType = options?.callbacks?.verifyJwt ? [__openid4vc_utils.ContentType.Jwt, __openid4vc_utils.ContentType.Json] : [__openid4vc_utils.ContentType.Json];
+	const responseSchema = zCredentialIssuerMetadataWithDraftVersion.or(__openid4vc_oauth2.zCompactJwt);
+	let result = await (0, __openid4vc_oauth2.fetchWellKnownMetadata)(wellKnownMetadataUrl, responseSchema, {
+		fetch: options?.callbacks?.fetch,
+		acceptedContentType
+	});
+	if (!result && legacyWellKnownMetadataUrl !== wellKnownMetadataUrl) result = await (0, __openid4vc_oauth2.fetchWellKnownMetadata)(legacyWellKnownMetadataUrl, responseSchema, {
+		fetch: options?.callbacks?.fetch,
+		acceptedContentType
+	});
+	let issuerMetadataWithVersion = null;
+	if (typeof result === "string") {
+		if (!options?.callbacks?.verifyJwt) throw new __openid4vc_oauth2.Oauth2Error(`Unable to verify signed credential issuer metadata, no 'verifyJwt' callback provided to fetch credential issuer metadata method.`);
+		const { header, payload, signature } = (0, __openid4vc_oauth2.decodeJwt)({
+			jwt: result,
+			headerSchema: zSignedCredentialIssuerMetadataHeader,
+			payloadSchema: zSignedCredentialIssuerMetadataPayload
+		});
+		if (payload.sub !== credentialIssuer) throw new __openid4vc_oauth2.Oauth2Error(`The 'sub' parameter '${payload.sub}' in the signed well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`);
+		const signer = (0, __openid4vc_oauth2.jwtSignerFromJwt)({
+			header,
+			payload
+		});
+		const verifyResult = await (0, __openid4vc_oauth2.verifyJwt)({
+			compact: result,
+			header,
+			payload,
+			verifyJwtCallback: options.callbacks.verifyJwt,
+			now: options.now,
+			signer,
+			errorMessage: "signed credential issuer metadata jwt verification failed"
+		});
+		issuerMetadataWithVersion = {
+			...(0, __openid4vc_utils.parseWithErrorHandling)(zCredentialIssuerMetadataWithDraftVersion, payload, "Unable to determine version for signed issuer metadata"),
+			signed: {
+				signer: verifyResult.signer,
+				jwt: {
+					header,
+					payload,
+					signature,
+					compact: result
+				}
+			}
+		};
+	} else if (result) issuerMetadataWithVersion = result;
+	if (issuerMetadataWithVersion && issuerMetadataWithVersion.credentialIssuerMetadata.credential_issuer !== credentialIssuer) throw new __openid4vc_oauth2.Oauth2Error(`The 'credential_issuer' parameter '${issuerMetadataWithVersion.credentialIssuerMetadata.credential_issuer}' in the well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`);
+	return issuerMetadataWithVersion;
 }
 /**
 * Extract credential configuration supported entries where the `format` is known to this
@@ -1397,14 +1453,17 @@ async function verifyCredentialRequestJwtProof(options) {
 //#region src/metadata/fetch-issuer-metadata.ts
 async function resolveIssuerMetadata(credentialIssuer, options) {
 	const allowAuthorizationMetadataFromCredentialIssuerMetadata = options?.allowAuthorizationMetadataFromCredentialIssuerMetadata ?? true;
-	const credentialIssuerMetadataWithDraftVersion = await fetchCredentialIssuerMetadata(credentialIssuer, options?.fetch);
+	const credentialIssuerMetadataWithDraftVersion = await fetchCredentialIssuerMetadata(credentialIssuer, {
+		callbacks: options?.callbacks,
+		now: options?.now
+	});
 	if (!credentialIssuerMetadataWithDraftVersion) throw new __openid4vc_oauth2.Oauth2Error(`Well known credential issuer metadata for issuer '${credentialIssuer}' not found.`);
-	const { credentialIssuerMetadata, originalDraftVersion } = credentialIssuerMetadataWithDraftVersion;
+	const { credentialIssuerMetadata, originalDraftVersion, signed } = credentialIssuerMetadataWithDraftVersion;
 	const authorizationServers = credentialIssuerMetadata.authorization_servers ?? [credentialIssuer];
 	const authoriationServersMetadata = [];
 	for (const authorizationServer of authorizationServers) {
 		if (options?.restrictToAuthorizationServers && !options.restrictToAuthorizationServers.includes(authorizationServer)) continue;
-		let authorizationServerMetadata = await (0, __openid4vc_oauth2.fetchAuthorizationServerMetadata)(authorizationServer, options?.fetch);
+		let authorizationServerMetadata = await (0, __openid4vc_oauth2.fetchAuthorizationServerMetadata)(authorizationServer, options?.callbacks.fetch);
 		if (!authorizationServerMetadata && authorizationServer === credentialIssuer && allowAuthorizationMetadataFromCredentialIssuerMetadata) authorizationServerMetadata = (0, __openid4vc_utils.parseWithErrorHandling)(__openid4vc_oauth2.zAuthorizationServerMetadata, {
 			token_endpoint: credentialIssuerMetadata.token_endpoint,
 			issuer: credentialIssuer
@@ -1415,6 +1474,7 @@ async function resolveIssuerMetadata(credentialIssuer, options) {
 	return {
 		originalDraftVersion,
 		credentialIssuer: credentialIssuerMetadata,
+		signedCredentialIssuer: signed,
 		authorizationServers: authoriationServersMetadata
 	};
 }
@@ -1520,7 +1580,7 @@ var Openid4vciClient = class {
 		return resolveCredentialOffer(credentialOffer, { fetch: this.options.callbacks.fetch });
 	}
 	async resolveIssuerMetadata(credentialIssuer) {
-		return resolveIssuerMetadata(credentialIssuer, { fetch: this.options.callbacks.fetch });
+		return resolveIssuerMetadata(credentialIssuer, { callbacks: this.options.callbacks });
 	}
 	/**
 	* Retrieve an authorization code for a presentation during issuance session
@@ -1855,6 +1915,28 @@ async function verifyCredentialRequestAttestationProof(options) {
 	});
 }
 
+//#endregion
+//#region src/metadata/credential-issuer/signed-credential-issuer-metadata.ts
+async function createSignedCredentialIssuerMetadataJwt(options) {
+	const header = (0, __openid4vc_utils.parseWithErrorHandling)(zSignedCredentialIssuerMetadataHeader, {
+		...(0, __openid4vc_oauth2.jwtHeaderFromJwtSigner)(options.signer),
+		typ: "openidvci-issuer-metadata+jwt"
+	});
+	const payload = (0, __openid4vc_utils.parseWithErrorHandling)(zSignedCredentialIssuerMetadataPayload, {
+		...options.credentialIssuerMetadata,
+		sub: options.credentialIssuerMetadata.credential_issuer,
+		iat: (0, __openid4vc_utils.dateToSeconds)(options.issuedAt),
+		exp: options.expiresAt ? (0, __openid4vc_utils.dateToSeconds)(options.expiresAt) : void 0,
+		iss: options.issuer,
+		...options.additionalPayload
+	});
+	const { jwt } = await options.callbacks.signJwt(options.signer, {
+		header,
+		payload
+	});
+	return jwt;
+}
+
 //#endregion
 //#region src/Openid4vciIssuer.ts
 var Openid4vciIssuer = class {
@@ -1873,6 +1955,15 @@ var Openid4vciIssuer = class {
 	createCredentialIssuerMetadata(credentialIssuerMetadata) {
 		return (0, __openid4vc_utils.parseWithErrorHandling)(zCredentialIssuerMetadata, credentialIssuerMetadata, "Error validating credential issuer metadata");
 	}
+	/**
+	* Validates credential issuer metadata structure is correct and creates signed credential issuer metadata JWT
+	*/
+	createSignedCredentialIssuerMetadataJwt(options) {
+		return createSignedCredentialIssuerMetadataJwt({
+			callbacks: this.options.callbacks,
+			...options
+		});
+	}
 	async createCredentialOffer(options) {
 		return createCredentialOffer({
 			callbacks: this.options.callbacks,