npm - @openid4vc/openid4vci - Versions diffs - 0.4.5 → 0.5.0-alpha-20260202131209 - Mend

@openid4vc/openid4vci 0.4.5 → 0.5.0-alpha-20260202131209

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -1732,6 +1732,40 @@ declare const zCredentialRequestProofs: z.ZodObject<{
 type CredentialRequestProof = z.infer<typeof zCredentialRequestProof>;
 type CredentialRequestProofsFormatSpecific = z.infer<typeof zCredentialRequestProofs>;
 type CredentialRequestProofs = z.infer<typeof zCredentialRequestProofs>;
+declare const zCredentialResponseEncryption: z.ZodObject<{
+  jwk: z.ZodObject<{
+    kty: z.ZodString;
+    crv: z.ZodOptional<z.ZodString>;
+    x: z.ZodOptional<z.ZodString>;
+    y: z.ZodOptional<z.ZodString>;
+    e: z.ZodOptional<z.ZodString>;
+    n: z.ZodOptional<z.ZodString>;
+    alg: z.ZodOptional<z.ZodString>;
+    d: z.ZodOptional<z.ZodString>;
+    dp: z.ZodOptional<z.ZodString>;
+    dq: z.ZodOptional<z.ZodString>;
+    ext: z.ZodOptional<z.ZodBoolean>;
+    k: z.ZodOptional<z.ZodString>;
+    key_ops: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    kid: z.ZodOptional<z.ZodString>;
+    oth: z.ZodOptional<z.ZodArray<z.ZodObject<{
+      d: z.ZodOptional<z.ZodString>;
+      r: z.ZodOptional<z.ZodString>;
+      t: z.ZodOptional<z.ZodString>;
+    }, z.core.$loose>>>;
+    p: z.ZodOptional<z.ZodString>;
+    q: z.ZodOptional<z.ZodString>;
+    qi: z.ZodOptional<z.ZodString>;
+    use: z.ZodOptional<z.ZodString>;
+    x5c: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    x5t: z.ZodOptional<z.ZodString>;
+    'x5t#S256': z.ZodOptional<z.ZodString>;
+    x5u: z.ZodOptional<z.ZodString>;
+  }, z.core.$loose>;
+  alg: z.ZodString;
+  enc: z.ZodString;
+}, z.core.$loose>;
+type CredentialResponseEncryption = z.infer<typeof zCredentialResponseEncryption>;
 declare const zCredentialRequestCommon: z.ZodObject<{
   proof: z.ZodOptional<z.ZodUnion<readonly [z.ZodObject<{
     proof_type: z.ZodString;
@@ -2243,6 +2277,15 @@ interface ParseCredentialRequestReturn {
    * undefined you can still handle the request by using this object directly.
    */
   credentialRequest: CredentialRequest;
+  /**
+   * If the request includes `credential_response_encryption`, this contains the
+   * encryption parameters the client expects the issuer to use for encrypting the response.
+   *
+   * When defined, the issuer should encrypt the credential response using the provided
+   * JWK, algorithm, and content encryption algorithm, and return it with
+   * `Content-Type: application/jwt`.
+   */
+  credentialResponseEncryption?: CredentialResponseEncryption;
 }
 //#endregion
 //#region ../oauth2/src/common/z-oauth2-error.d.ts
@@ -2323,9 +2366,9 @@ interface RetrieveCredentialsBaseOptions {
    */
   issuerMetadata: IssuerMetadataResult;
   /**
-   * Callback used in retrieve credentials endpoints
+   * Callbacks used in retrieve credentials endpoints.
    */
-  callbacks: Pick<CallbackContext, 'fetch' | 'generateRandom' | 'hash' | 'signJwt'>;
+  callbacks: Pick<CallbackContext, 'fetch' | 'generateRandom' | 'hash' | 'signJwt' | 'decryptJwe'>;
   /**
    * Access token authorized to retrieve the credential(s)
    */
@@ -2334,6 +2377,14 @@ interface RetrieveCredentialsBaseOptions {
    * DPoP options
    */
   dpop?: RequestDpopOptions;
+  /**
+   * Request encryption of the credential response. When provided, the client
+   * includes `credential_response_encryption` in the request and expects
+   * an encrypted JWE response.
+   *
+   * The `decryptJwe` callback must be provided to decrypt the response.
+   */
+  credentialResponseEncryption?: CredentialResponseEncryption;
 }
 interface RetrieveCredentialsWithFormatOptions extends RetrieveCredentialsBaseOptions {
   /**
@@ -3077,9 +3128,9 @@ declare enum AuthorizationFlow {
 }
 interface Openid4vciClientOptions {
   /**
-   * Callbacks required for the openid4vc client
+   * Callbacks required for the openid4vc client.
    */
-  callbacks: Omit<CallbackContext, 'verifyJwt' | 'decryptJwe' | 'encryptJwe'>;
+  callbacks: Omit<CallbackContext, 'verifyJwt' | 'encryptJwe'>;
 }
 declare class Openid4vciClient {
   private options;
@@ -3256,15 +3307,16 @@ declare class Openid4vciClient {
     credentialConfigurationId,
     additionalRequestPayload,
     accessToken,
-    dpop
-  }: Pick<RetrieveCredentialsWithFormatOptions, 'accessToken' | 'additionalRequestPayload' | 'issuerMetadata' | 'proof' | 'proofs' | 'dpop'> & {
+    dpop,
+    credentialResponseEncryption
+  }: Pick<RetrieveCredentialsWithFormatOptions, 'accessToken' | 'additionalRequestPayload' | 'issuerMetadata' | 'proof' | 'proofs' | 'dpop' | 'credentialResponseEncryption'> & {
     credentialConfigurationId: string;
   }): Promise<RetrieveCredentialsResponseOk>;
   /**
    * @throws Openid4vciRetrieveCredentialsError - if an unsuccessful response or the response couldn't be parsed as credential response
    * @throws ValidationError - if validation of the credential request failed
    */
-  retrieveDeferredCredentials(options: Pick<RetrieveDeferredCredentialsOptions, 'issuerMetadata' | 'accessToken' | 'transactionId' | 'dpop' | 'additionalRequestPayload'>): Promise<RetrieveDeferredCredentialsResponseOk>;
+  retrieveDeferredCredentials(options: Pick<RetrieveDeferredCredentialsOptions, 'issuerMetadata' | 'accessToken' | 'transactionId' | 'dpop' | 'additionalRequestPayload' | 'credentialResponseEncryption'>): Promise<RetrieveDeferredCredentialsResponseOk>;
   /**
    * @throws Openid4vciSendNotificationError - if an unsuccessful response
    * @throws ValidationError - if validation of the notification request failed
@@ -3278,6 +3330,89 @@ declare class Openid4vciClient {
   }: Pick<SendNotificationOptions, 'accessToken' | 'additionalRequestPayload' | 'issuerMetadata' | 'dpop' | 'notification'>): Promise<_openid4vc_oauth20.ResourceRequestResponseOk>;
 }
 //#endregion
+//#region src/credential-request/credential-response.d.ts
+interface CreateCredentialResponseOptions {
+  credentialRequest: ParseCredentialRequestReturn;
+  credential?: CredentialResponse['credential'];
+  credentials?: CredentialResponse['credentials'];
+  transactionId?: string;
+  interval?: number;
+  cNonce?: string;
+  cNonceExpiresInSeconds?: number;
+  notificationId?: string;
+  /**
+   * Additional payload to include in the credential response
+   */
+  additionalPayload?: Record<string, unknown>;
+  /**
+   * Encryption parameters from the credential request. When provided along with
+   * the `encryptJwe` callback, the credential response will be encrypted as a JWE.
+   *
+   * You can pass `credentialRequest.credentialResponseEncryption` from the parsed
+   * credential request directly to this option.
+   */
+  credentialResponseEncryption?: CredentialResponseEncryption;
+  /**
+   * Callbacks for credential response operations.
+   * Required when `credentialResponseEncryption` is provided.
+   */
+  callbacks?: Pick<CallbackContext, 'encryptJwe'>;
+}
+interface CreateCredentialResponseReturn {
+  /**
+   * The credential response object (before encryption).
+   */
+  credentialResponse: CredentialResponse;
+  /**
+   * The credential response as a JWE string if encryption was requested.
+   * When this is defined, the response should be returned with `Content-Type: application/jwt`.
+   */
+  credentialResponseJwt?: string;
+}
+type CreateDeferredCredentialResponseOptions = ({
+  credentials: DeferredCredentialResponse['credentials'];
+  notificationId?: string;
+  transactionId?: never;
+  interval?: never;
+} | {
+  /**
+   * The `transaction_id` used to identify the deferred issuance transaction.
+   */
+  transactionId: string;
+  interval: number;
+  credentials?: never;
+  notificationId?: never;
+}) & {
+  /**
+   * Additional payload to include in the deferred credential response
+   */
+  additionalPayload?: Record<string, unknown>;
+  /**
+   * Encryption parameters from the deferred credential request. When provided along with
+   * the `encryptJwe` callback, the deferred credential response will be encrypted as a JWE.
+   *
+   * You can pass `deferredCredentialRequest.credential_response_encryption` from the parsed
+   * deferred credential request directly to this option.
+   */
+  credentialResponseEncryption?: CredentialResponseEncryption;
+  /**
+   * Callbacks for credential response operations.
+   * Required when `credentialResponseEncryption` is provided.
+   */
+  callbacks?: Pick<CallbackContext, 'encryptJwe'>;
+};
+interface CreateDeferredCredentialResponseReturn {
+  /**
+   * The deferred credential response object (before encryption).
+   */
+  deferredCredentialResponse: DeferredCredentialResponse;
+  /**
+   * The deferred credential response as a JWE string if encryption was requested.
+   * When this is defined, the response should be returned with `Content-Type: application/jwt`.
+   */
+  deferredCredentialResponseJwt?: string;
+}
+//#endregion
 //#region ../oauth2/src/common/jwk/z-jwk.d.ts
 declare const zJwk$1: z.ZodObject<{
   kty: z.ZodString;
@@ -3646,41 +3781,6 @@ interface VerifyClientAttestationOptions {
   now?: Date;
 }
 //#endregion
-//#region src/credential-request/credential-response.d.ts
-interface CreateCredentialResponseOptions {
-  credentialRequest: ParseCredentialRequestReturn;
-  credential?: CredentialResponse['credential'];
-  credentials?: CredentialResponse['credentials'];
-  transactionId?: string;
-  interval?: number;
-  cNonce?: string;
-  cNonceExpiresInSeconds?: number;
-  notificationId?: string;
-  /**
-   * Additional payload to include in the credential response
-   */
-  additionalPayload?: Record<string, unknown>;
-}
-type CreateDeferredCredentialResponseOptions = ({
-  credentials: DeferredCredentialResponse['credentials'];
-  notificationId?: string;
-  transactionId?: never;
-  interval?: never;
-} | {
-  /**
-   * The `transaction_id` used to identify the deferred issuance transaction.
-   */
-  transactionId: string;
-  interval: number;
-  credentials?: never;
-  notificationId?: never;
-}) & {
-  /**
-   * Additional payload to include in the deferred credential response
-   */
-  additionalPayload?: Record<string, unknown>;
-};
-//#endregion
 //#region src/credential-request/parse-deferred-credential-request.d.ts
 interface ParseDeferredCredentialRequestOptions {
   deferredCredentialRequest: Record<string, unknown>;
@@ -3732,9 +3832,9 @@ interface CreateSignedCredentialIssuerMetadataJwtOptions {
 //#region src/Openid4vciIssuer.d.ts
 interface Openid4vciIssuerOptions {
   /**
-   * Callbacks required for the openid4vc issuer
+   * Callbacks required for the openid4vc issuer.
    */
-  callbacks: Omit<CallbackContext, 'decryptJwe' | 'encryptJwe'>;
+  callbacks: Omit<CallbackContext, 'decryptJwe'>;
 }
 declare class Openid4vciIssuer {
   private options;
@@ -4229,31 +4329,14 @@ declare class Openid4vciIssuer {
   parseDeferredCredentialRequest(options: ParseDeferredCredentialRequestOptions): ParseDeferredCredentialRequestReturn;
   /**
    * @throws ValidationError - when validation of the credential response fails
+   * @throws Openid4vciError - when encryption is requested but no encryptJwe callback is available
    */
-  createCredentialResponse(options: CreateCredentialResponseOptions): {
-    [x: string]: unknown;
-    credentials?: {
-      credential: string | Record<string, any>;
-    }[] | (string | Record<string, any>)[] | undefined;
-    notification_id?: string | undefined;
-    transaction_id?: string | undefined;
-    interval?: number | undefined;
-    credential?: string | Record<string, any> | undefined;
-    c_nonce?: string | undefined;
-    c_nonce_expires_in?: number | undefined;
-  };
+  createCredentialResponse(options: Omit<CreateCredentialResponseOptions, 'callbacks'>): Promise<CreateCredentialResponseReturn>;
   /**
    * @throws ValidationError - when validation of the credential response fails
+   * @throws Openid4vciError - when encryption is requested but no encryptJwe callback is available
    */
-  createDeferredCredentialResponse(options: CreateDeferredCredentialResponseOptions): {
-    [x: string]: unknown;
-    credentials?: {
-      credential: string | Record<string, any>;
-    }[] | (string | Record<string, any>)[] | undefined;
-    notification_id?: string | undefined;
-    transaction_id?: string | undefined;
-    interval?: number | undefined;
-  };
+  createDeferredCredentialResponse(options: Omit<CreateDeferredCredentialResponseOptions, 'callbacks'>): Promise<CreateDeferredCredentialResponseReturn>;
   /**
    * @throws ValidationError - when validation of the nonce response fails
    */
@@ -4464,5 +4547,5 @@ declare class Openid4vciWalletProvider {
   createKeyAttestationJwt(options: Omit<CreateKeyAttestationJwtOptions, 'callbacks'>): Promise<string>;
 }
 //#endregion
-export { AuthorizationFlow, type CreateKeyAttestationJwtOptions, type CredentialConfigurationSupported, type CredentialConfigurationSupportedWithFormats, type CredentialConfigurationsSupported, type CredentialConfigurationsSupportedWithFormats, type CredentialErrorResponse, type CredentialFormatIdentifier, type CredentialIssuerMetadata, type CredentialIssuerMetadataDisplayEntry, type CredentialOfferAuthorizationCodeGrant, type CredentialOfferGrants, type CredentialOfferObject, type CredentialOfferPreAuthorizedCodeGrant, type CredentialOfferPreAuthorizedCodeGrantTxCode, type CredentialRequest, type CredentialRequestFormatSpecific, type CredentialRequestJwtProofTypeHeader, type CredentialRequestJwtProofTypePayload, type CredentialRequestWithFormats, type CredentialResponse, type DeferredCredentialRequest, type DeferredCredentialResponse, type ExtractScopesForCredentialConfigurationIdsOptions, type GetCredentialConfigurationsMatchingRequestFormatOptions, type IssuerMetadataResult, type JwtProofTypeIdentifier, type JwtVcJsonFormatIdentifier, type JwtVcJsonLdFormatIdentifier, type LdpVcFormatIdentifier, type LegacySdJwtVcFormatIdentifier, type MsoMdocFormatIdentifier, type NonceResponse, type NotificationErrorResponse, type NotificationEvent, type Oid4vcTsConfig, Openid4vciClient, type Openid4vciClientOptions, Openid4vciDraftVersion, Openid4vciError, type Openid4vciErrorOptions, Openid4vciIssuer, type Openid4vciIssuerOptions, Openid4vciRetrieveCredentialsError, Openid4vciSendNotificationError, Openid4vciVersion, Openid4vciWalletProvider, type Openid4vciWalletProviderOptions, type ParseCredentialRequestReturn, type ParseKeyAttestationJwtOptions, type ProofTypeIdentifier, type RetrieveCredentialsResponseNotOk, type RetrieveCredentialsResponseOk, type SendNotificationResponseNotOk, type SendNotificationResponseOk, type VerifyKeyAttestationJwtOptions, type VerifyKeyAttestationJwtReturn, createKeyAttestationJwt, credentialsSupportedToCredentialConfigurationsSupported, determineAuthorizationServerForCredentialOffer, extractScopesForCredentialConfigurationIds, getCredentialConfigurationsMatchingRequestFormat, getGlobalConfig, parseKeyAttestationJwt, setGlobalConfig, verifyKeyAttestationJwt };
+export { AuthorizationFlow, type CreateKeyAttestationJwtOptions, type CredentialConfigurationSupported, type CredentialConfigurationSupportedWithFormats, type CredentialConfigurationsSupported, type CredentialConfigurationsSupportedWithFormats, type CredentialErrorResponse, type CredentialFormatIdentifier, type CredentialIssuerMetadata, type CredentialIssuerMetadataDisplayEntry, type CredentialOfferAuthorizationCodeGrant, type CredentialOfferGrants, type CredentialOfferObject, type CredentialOfferPreAuthorizedCodeGrant, type CredentialOfferPreAuthorizedCodeGrantTxCode, type CredentialRequest, type CredentialRequestFormatSpecific, type CredentialRequestJwtProofTypeHeader, type CredentialRequestJwtProofTypePayload, type CredentialRequestWithFormats, type CredentialResponse, type CredentialResponseEncryption, type DeferredCredentialRequest, type DeferredCredentialResponse, type ExtractScopesForCredentialConfigurationIdsOptions, type GetCredentialConfigurationsMatchingRequestFormatOptions, type IssuerMetadataResult, type JwtProofTypeIdentifier, type JwtVcJsonFormatIdentifier, type JwtVcJsonLdFormatIdentifier, type LdpVcFormatIdentifier, type LegacySdJwtVcFormatIdentifier, type MsoMdocFormatIdentifier, type NonceResponse, type NotificationErrorResponse, type NotificationEvent, type Oid4vcTsConfig, Openid4vciClient, type Openid4vciClientOptions, Openid4vciDraftVersion, Openid4vciError, type Openid4vciErrorOptions, Openid4vciIssuer, type Openid4vciIssuerOptions, Openid4vciRetrieveCredentialsError, Openid4vciSendNotificationError, Openid4vciVersion, Openid4vciWalletProvider, type Openid4vciWalletProviderOptions, type ParseCredentialRequestReturn, type ParseKeyAttestationJwtOptions, type ProofTypeIdentifier, type RetrieveCredentialsResponseNotOk, type RetrieveCredentialsResponseOk, type SendNotificationResponseNotOk, type SendNotificationResponseOk, type VerifyKeyAttestationJwtOptions, type VerifyKeyAttestationJwtReturn, createKeyAttestationJwt, credentialsSupportedToCredentialConfigurationsSupported, determineAuthorizationServerForCredentialOffer, extractScopesForCredentialConfigurationIds, getCredentialConfigurationsMatchingRequestFormat, getGlobalConfig, parseKeyAttestationJwt, setGlobalConfig, verifyKeyAttestationJwt };
 //# sourceMappingURL=index.d.mts.map

package/dist/index.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-import { ContentType, OpenId4VcBaseError, URL, URLSearchParams, ValidationError, arrayEqualsIgnoreOrder, createZodFetcher, dateToSeconds, encodeToBase64Url, formatZodError, getGlobalConfig, getQueryParams, isResponseContentType, joinUriParts, objectToQueryParams, parseWithErrorHandling, setGlobalConfig, zDataUrl, zHttpsUrl, zInteger, zIs, zNumericDate } from "@openid4vc/utils";
+import { ContentType, OpenId4VcBaseError, URL, URLSearchParams, ValidationError, arrayEqualsIgnoreOrder, createZodFetcher, dateToSeconds, encodeToBase64Url, formatZodError, getGlobalConfig, getQueryParams, isResponseContentType, joinUriParts, objectToQueryParams, parseWithErrorHandling, setGlobalConfig, stringToJsonWithErrorHandling, zDataUrl, zHttpsUrl, zInteger, zIs, zNumericDate } from "@openid4vc/utils";
 import { InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtVerificationError, Oauth2ServerErrorResponseError, authorizationCodeGrantIdentifier, createClientAttestationJwt, decodeJwt, fetchAuthorizationServerMetadata, fetchWellKnownMetadata, fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray, getAuthorizationServerMetadataFromList, isJwkInSet, jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray, jwtHeaderFromJwtSigner, jwtSignerFromJwt, parseAuthorizationResponseRedirectUrl, preAuthorizedCodeGrantIdentifier, resourceRequest, verifyAuthorizationResponse, verifyJwt, zAuthorizationServerMetadata, zCompactJwt, zJwk, zJwtHeader, zJwtPayload } from "@openid4vc/oauth2";
 import z from "zod";
@@ -1114,14 +1114,15 @@ const zCredentialRequestProofs = z.object({
 	[zJwtProofTypeIdentifier.value]: z.optional(z.array(zCredentialRequestProofJwt.shape.jwt)),
 	[zAttestationProofTypeIdentifier.value]: z.optional(z.array(zCredentialRequestProofAttestation.shape.attestation))
 });
+const zCredentialResponseEncryption = z.object({
+	jwk: zJwk,
+	alg: z.string(),
+	enc: z.string()
+}).loose();
 const zCredentialRequestCommon = z.object({
 	proof: zCredentialRequestProof.optional(),
 	proofs: z.optional(z.intersection(zCredentialRequestProofsCommon, zCredentialRequestProofs).refine((proofs) => Object.values(proofs).length === 1, { message: `The 'proofs' object in a credential request should contain exactly one attribute` })),
-	credential_response_encryption: z.object({
-		jwk: zJwk,
-		alg: z.string(),
-		enc: z.string()
-	}).loose().optional()
+	credential_response_encryption: zCredentialResponseEncryption.optional()
 }).loose().refine(({ proof, proofs }) => !(proof !== void 0 && proofs !== void 0), { message: `Both 'proof' and 'proofs' are defined. Only one is allowed` });
 //#endregion
@@ -1206,11 +1207,7 @@ const zCredentialRequest = z.union([
 ]);
 const zDeferredCredentialRequest = z.object({
 	transaction_id: z.string().nonempty(),
-	credential_response_encryption: z.object({
-		jwk: zJwk,
-		alg: z.string(),
-		enc: z.string()
-	}).loose().optional()
+	credential_response_encryption: zCredentialResponseEncryption.optional()
 });
 //#endregion
@@ -1311,6 +1308,39 @@ const zDeferredCredentialResponse = zBaseCredentialResponse.superRefine((value,
 //#endregion
 //#region src/credential-request/retrieve-credentials.ts
+/**
+* Handles credential response by detecting content type, decrypting if needed, and parsing.
+*/
+async function handleCredentialResponse(options) {
+	const { response, decryptJwe, credentialResponseEncryption, schema, responseType } = options;
+	if (isResponseContentType(ContentType.Jwt, response)) {
+		const decryptResult = await decryptJwe(await response.clone().text());
+		if (!decryptResult.decrypted) return {
+			ok: false,
+			parseResult: void 0
+		};
+		const jsonPayload = stringToJsonWithErrorHandling(decryptResult.payload, `Unable to parse decrypted ${responseType} as JSON`);
+		const parseResult$1 = schema.safeParse(jsonPayload);
+		if (!parseResult$1.success) return {
+			ok: false,
+			parseResult: parseResult$1
+		};
+		return {
+			ok: true,
+			data: parseResult$1.data
+		};
+	}
+	if (credentialResponseEncryption) throw new Openid4vciError(`Encryption was requested via 'credential_response_encryption' but the ${responseType} was not encrypted. Expected Content-Type 'application/jwt' but received '${response.headers.get("Content-Type")}'.`);
+	const parseResult = isResponseContentType(ContentType.Json, response) ? schema.safeParse(await response.clone().json()) : void 0;
+	if (!parseResult?.success) return {
+		ok: false,
+		parseResult
+	};
+	return {
+		ok: true,
+		data: parseResult.data
+	};
+}
 async function retrieveCredentialsWithCredentialConfigurationId(options) {
 	if (options.issuerMetadata.originalDraftVersion !== Openid4vciVersion.Draft15 && options.issuerMetadata.originalDraftVersion !== Openid4vciVersion.V1) throw new Openid4vciError("Requesting credentials based on credential configuration ID is not supported in OpenID4VCI below draft 15. Make sure to provide the format and format specific claims in the request.");
 	getKnownCredentialConfigurationSupportedById(options.issuerMetadata, options.credentialConfigurationId);
@@ -1318,14 +1348,16 @@ async function retrieveCredentialsWithCredentialConfigurationId(options) {
 		...options.additionalRequestPayload,
 		credential_configuration_id: options.credentialConfigurationId,
 		proof: options.proof,
-		proofs: options.proofs
+		proofs: options.proofs,
+		credential_response_encryption: options.credentialResponseEncryption
 	};
 	return retrieveCredentials({
 		callbacks: options.callbacks,
 		credentialRequest,
 		issuerMetadata: options.issuerMetadata,
 		accessToken: options.accessToken,
-		dpop: options.dpop
+		dpop: options.dpop,
+		credentialResponseEncryption: options.credentialResponseEncryption
 	});
 }
 async function retrieveCredentialsWithFormat(options) {
@@ -1334,14 +1366,16 @@ async function retrieveCredentialsWithFormat(options) {
 		...options.formatPayload,
 		...options.additionalRequestPayload,
 		proof: options.proof,
-		proofs: options.proofs
+		proofs: options.proofs,
+		credential_response_encryption: options.credentialResponseEncryption
 	};
 	return retrieveCredentials({
 		callbacks: options.callbacks,
 		credentialRequest,
 		issuerMetadata: options.issuerMetadata,
 		accessToken: options.accessToken,
-		dpop: options.dpop
+		dpop: options.dpop,
+		credentialResponseEncryption: options.credentialResponseEncryption
 	});
 }
 /**
@@ -1375,15 +1409,21 @@ async function retrieveCredentials(options) {
 			credentialErrorResponseResult
 		};
 	}
-	const credentialResponseResult = isResponseContentType(ContentType.Json, resourceResponse.response) ? zCredentialResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
-	if (!credentialResponseResult?.success) return {
+	const result = await handleCredentialResponse({
+		response: resourceResponse.response,
+		decryptJwe: options.callbacks.decryptJwe,
+		credentialResponseEncryption: options.credentialResponseEncryption,
+		schema: zCredentialResponse,
+		responseType: "credential response"
+	});
+	if (!result.ok) return {
 		...resourceResponse,
 		ok: false,
-		credentialResponseResult
+		credentialResponseResult: result.parseResult
 	};
 	return {
 		...resourceResponse,
-		credentialResponse: credentialResponseResult.data
+		credentialResponse: result.data
 	};
 }
 async function retrieveDeferredCredentials(options) {
@@ -1391,6 +1431,7 @@ async function retrieveDeferredCredentials(options) {
 	if (!credentialEndpoint) throw new Openid4vciError(`Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' does not support deferred credential retrieval.`);
 	const deferredCredentialRequest = parseWithErrorHandling(zDeferredCredentialRequest, {
 		transaction_id: options.transactionId,
+		credential_response_encryption: options.credentialResponseEncryption,
 		...options.additionalRequestPayload
 	}, "Error validating deferred credential request");
 	const resourceResponse = await resourceRequest({
@@ -1411,15 +1452,22 @@ async function retrieveDeferredCredentials(options) {
 			deferredCredentialErrorResponseResult
 		};
 	}
-	const deferredCredentialResponseResult = isResponseContentType(ContentType.Json, resourceResponse.response) ? zDeferredCredentialResponse.refine((response) => response.credentials || response.transaction_id === options.transactionId, { error: `Transaction id in deferred credential response does not match transaction id in deferred credential request '${options.transactionId}'` }).safeParse(await resourceResponse.response.clone().json()) : void 0;
-	if (!deferredCredentialResponseResult?.success) return {
+	const deferredResponseSchema = zDeferredCredentialResponse.refine((response) => response.credentials || response.transaction_id === options.transactionId, { message: `Transaction id in deferred credential response does not match transaction id in deferred credential request '${options.transactionId}'` });
+	const result = await handleCredentialResponse({
+		response: resourceResponse.response,
+		decryptJwe: options.callbacks.decryptJwe,
+		credentialResponseEncryption: options.credentialResponseEncryption,
+		schema: deferredResponseSchema,
+		responseType: "deferred credential response"
+	});
+	if (!result.ok) return {
 		...resourceResponse,
 		ok: false,
-		deferredCredentialResponseResult
+		deferredCredentialResponseResult: result.parseResult
 	};
 	return {
 		...resourceResponse,
-		deferredCredentialResponse: deferredCredentialResponseResult.data
+		deferredCredentialResponse: result.data
 	};
 }
@@ -1845,7 +1893,7 @@ var Openid4vciClient = class {
 	* @throws ValidationError - if validation of the credential request failed
 	* @throws Openid4vciError - if the `credentialConfigurationId` couldn't be found, or if the the format specific request couldn't be constructed
 	*/
-	async retrieveCredentials({ issuerMetadata, proof, proofs, credentialConfigurationId, additionalRequestPayload, accessToken, dpop }) {
+	async retrieveCredentials({ issuerMetadata, proof, proofs, credentialConfigurationId, additionalRequestPayload, accessToken, dpop, credentialResponseEncryption }) {
 		let credentialResponse;
 		if (issuerMetadata.originalDraftVersion === Openid4vciVersion.Draft15 || issuerMetadata.originalDraftVersion === Openid4vciVersion.V1) credentialResponse = await retrieveCredentialsWithCredentialConfigurationId({
 			accessToken,
@@ -1855,7 +1903,8 @@ var Openid4vciClient = class {
 			proof,
 			proofs,
 			callbacks: this.options.callbacks,
-			dpop
+			dpop,
+			credentialResponseEncryption
 		});
 		else credentialResponse = await retrieveCredentialsWithFormat({
 			accessToken,
@@ -1868,7 +1917,8 @@ var Openid4vciClient = class {
 			proof,
 			proofs,
 			callbacks: this.options.callbacks,
-			dpop
+			dpop,
+			credentialResponseEncryption
 		});
 		if (!credentialResponse.ok) throw new Openid4vciRetrieveCredentialsError(`Error retrieving credentials from '${issuerMetadata.credentialIssuer.credential_issuer}'`, credentialResponse, await credentialResponse.response.clone().text());
 		return credentialResponse;
@@ -1905,8 +1955,8 @@ var Openid4vciClient = class {
 //#endregion
 //#region src/credential-request/credential-response.ts
-function createCredentialResponse(options) {
-	return parseWithErrorHandling(zCredentialResponse, {
+async function createCredentialResponse(options) {
+	const credentialResponse = parseWithErrorHandling(zCredentialResponse, {
 		c_nonce: options.cNonce,
 		c_nonce_expires_in: options.cNonceExpiresInSeconds,
 		credential: options.credential,
@@ -1917,15 +1967,45 @@ function createCredentialResponse(options) {
 		format: options.credentialRequest.format?.format,
 		...options.additionalPayload
 	});
+	if (options.credentialResponseEncryption) {
+		if (!options.callbacks?.encryptJwe) throw new Openid4vciError("'credentialResponseEncryption' was provided but 'callbacks.encryptJwe' is not defined. Provide the 'encryptJwe' callback to encrypt the credential response.");
+		const jweEncryptor = {
+			method: "jwk",
+			publicJwk: options.credentialResponseEncryption.jwk,
+			alg: options.credentialResponseEncryption.alg,
+			enc: options.credentialResponseEncryption.enc
+		};
+		const { jwe } = await options.callbacks.encryptJwe(jweEncryptor, JSON.stringify(credentialResponse));
+		return {
+			credentialResponse,
+			credentialResponseJwt: jwe
+		};
+	}
+	return { credentialResponse };
 }
-function createDeferredCredentialResponse(options) {
-	return parseWithErrorHandling(zDeferredCredentialResponse, {
+async function createDeferredCredentialResponse(options) {
+	const deferredCredentialResponse = parseWithErrorHandling(zDeferredCredentialResponse, {
 		credentials: options.credentials,
 		notification_id: options.notificationId,
 		transaction_id: options.transactionId,
 		interval: options.interval,
 		...options.additionalPayload
 	});
+	if (options.credentialResponseEncryption) {
+		if (!options.callbacks?.encryptJwe) throw new Openid4vciError("'credentialResponseEncryption' was provided but 'callbacks.encryptJwe' is not defined. Provide the 'encryptJwe' callback to encrypt the deferred credential response.");
+		const jweEncryptor = {
+			method: "jwk",
+			publicJwk: options.credentialResponseEncryption.jwk,
+			alg: options.credentialResponseEncryption.alg,
+			enc: options.credentialResponseEncryption.enc
+		};
+		const { jwe } = await options.callbacks.encryptJwe(jweEncryptor, JSON.stringify(deferredCredentialResponse));
+		return {
+			deferredCredentialResponse,
+			deferredCredentialResponseJwt: jwe
+		};
+	}
+	return { deferredCredentialResponse };
 }
 //#endregion
@@ -1938,28 +2018,33 @@ function parseCredentialRequest(options) {
 	const knownProof = z.union(allCredentialRequestProofs).safeParse(credentialRequest.proof);
 	if (knownProof.success && knownProof.data.proof_type === jwtProofTypeIdentifier) proofs = { [jwtProofTypeIdentifier]: [knownProof.data.jwt] };
 	else if (knownProof.success && knownProof.data.proof_type === attestationProofTypeIdentifier) proofs = { [attestationProofTypeIdentifier]: [knownProof.data.attestation] };
+	const credentialResponseEncryption = credentialRequest.credential_response_encryption;
 	if (credentialRequest.credential_configuration_id) {
 		getKnownCredentialConfigurationSupportedById(options.issuerMetadata, credentialRequest.credential_configuration_id);
 		return {
 			credentialConfiguration: options.issuerMetadata.knownCredentialConfigurations[credentialRequest.credential_configuration_id],
 			credentialConfigurationId: credentialRequest.credential_configuration_id,
 			credentialRequest,
-			proofs
+			proofs,
+			credentialResponseEncryption
 		};
 	}
 	if (credentialRequest.credential_identifier) return {
 		credentialIdentifier: credentialRequest.credential_identifier,
 		credentialRequest,
-		proofs
+		proofs,
+		credentialResponseEncryption
 	};
 	if (credentialRequest.format && allCredentialRequestFormatIdentifiers.includes(credentialRequest.format)) return {
 		format: parseWithErrorHandling(z.union(allCredentialRequestFormats), credentialRequest, "Unable to validate format specific properties from credential request"),
 		credentialRequest,
-		proofs
+		proofs,
+		credentialResponseEncryption
 	};
 	return {
 		credentialRequest,
-		proofs
+		proofs,
+		credentialResponseEncryption
 	};
 }
@@ -2121,15 +2206,23 @@ var Openid4vciIssuer = class {
 	}
 	/**
 	* @throws ValidationError - when validation of the credential response fails
+	* @throws Openid4vciError - when encryption is requested but no encryptJwe callback is available
 	*/
 	createCredentialResponse(options) {
-		return createCredentialResponse(options);
+		return createCredentialResponse({
+			...options,
+			callbacks: options.credentialResponseEncryption ? { encryptJwe: this.options.callbacks.encryptJwe } : void 0
+		});
 	}
 	/**
 	* @throws ValidationError - when validation of the credential response fails
+	* @throws Openid4vciError - when encryption is requested but no encryptJwe callback is available
 	*/
 	createDeferredCredentialResponse(options) {
-		return createDeferredCredentialResponse(options);
+		return createDeferredCredentialResponse({
+			...options,
+			callbacks: options.credentialResponseEncryption ? { encryptJwe: this.options.callbacks.encryptJwe } : void 0
+		});
 	}
 	/**
 	* @throws ValidationError - when validation of the nonce response fails