npm - @openid4vc/openid4vci - Versions diffs - 0.4.6-alpha-20260201172333 → 0.5.0-alpha-20260202155954 - Mend

@openid4vc/openid4vci 0.4.6-alpha-20260201172333 → 0.5.0-alpha-20260202155954

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.mjs CHANGED Viewed

@@ -1,6 +1,6 @@
-import { ContentType, OpenId4VcBaseError, URL, URLSearchParams, ValidationError, arrayEqualsIgnoreOrder, createZodFetcher, dateToSeconds, encodeToBase64Url, formatZodError, getGlobalConfig, getQueryParams, isResponseContentType, joinUriParts, objectToQueryParams, parseWithErrorHandling, setGlobalConfig, zDataUrl, zHttpsUrl, zInteger, zIs, zNumericDate } from "@openid4vc/utils";
-import { InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtVerificationError, Oauth2ServerErrorResponseError, authorizationCodeGrantIdentifier, createClientAttestationJwt, decodeJwt, fetchAuthorizationServerMetadata, fetchWellKnownMetadata, fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray, getAuthorizationServerMetadataFromList, isJwkInSet, jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray, jwtHeaderFromJwtSigner, jwtSignerFromJwt, parseAuthorizationResponseRedirectUrl, preAuthorizedCodeGrantIdentifier, resourceRequest, verifyAuthorizationResponse, verifyJwt, zAuthorizationServerMetadata, zCompactJwt, zJwk, zJwtHeader, zJwtPayload } from "@openid4vc/oauth2";
-import z from "zod";
+import { ContentType, Headers, InvalidFetchResponseError, OpenId4VcBaseError, URL, URLSearchParams, ValidationError, arrayEqualsIgnoreOrder, createZodFetcher, dateToSeconds, encodeToBase64Url, formatZodError, getGlobalConfig, getQueryParams, isResponseContentType, joinUriParts, objectToQueryParams, parseWithErrorHandling, setGlobalConfig, stringToJsonWithErrorHandling, zDataUrl, zHttpsUrl, zInteger, zIs, zNumericDate } from "@openid4vc/utils";
+import { InvalidFetchResponseError as InvalidFetchResponseError$1, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtVerificationError, Oauth2ServerErrorResponseError, authorizationCodeGrantIdentifier, authorizationServerRequestWithDpopRetry, createClientAttestationJwt, createDpopHeadersForRequest, createPkce, decodeJwt, extractDpopNonceFromHeaders, fetchAuthorizationServerMetadata, fetchWellKnownMetadata, fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray, getAuthorizationServerMetadataFromList, isJarAuthorizationRequest, isJwkInSet, jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray, jwtHeaderFromJwtSigner, jwtSignerFromJwt, parseAuthorizationRequest, parseAuthorizationResponseRedirectUrl, parseJarRequest, preAuthorizedCodeGrantIdentifier, resourceRequest, verifyAuthorizationRequest, verifyAuthorizationResponse, verifyJarRequest, verifyJwt, zAuthorizationRequest, zAuthorizationServerMetadata, zCompactJwt, zJarAuthorizationRequest, zJwk, zJwtHeader, zJwtPayload, zOauth2ErrorResponse } from "@openid4vc/oauth2";
+import z$1, { z } from "zod";
 //#region src/version.ts
 let Openid4vciVersion = /* @__PURE__ */ function(Openid4vciVersion$1) {
@@ -17,35 +17,35 @@ const Openid4vciDraftVersion = Openid4vciVersion;
 //#endregion
 //#region src/credential-offer/z-credential-offer.ts
-const zTxCode = z.object({
-	input_mode: z.union([z.literal("numeric"), z.literal("text")]).optional(),
-	length: z.number().int().optional(),
-	description: z.string().max(300).optional()
+const zTxCode = z$1.object({
+	input_mode: z$1.union([z$1.literal("numeric"), z$1.literal("text")]).optional(),
+	length: z$1.number().int().optional(),
+	description: z$1.string().max(300).optional()
 }).loose();
-const zCredentialOfferGrants = z.object({
-	authorization_code: z.object({
-		issuer_state: z.string().optional(),
+const zCredentialOfferGrants = z$1.object({
+	authorization_code: z$1.object({
+		issuer_state: z$1.string().optional(),
 		authorization_server: zHttpsUrl.optional()
 	}).loose().optional(),
-	[preAuthorizedCodeGrantIdentifier]: z.object({
-		"pre-authorized_code": z.string(),
+	[preAuthorizedCodeGrantIdentifier]: z$1.object({
+		"pre-authorized_code": z$1.string(),
 		tx_code: zTxCode.optional(),
 		authorization_server: zHttpsUrl.optional()
 	}).loose().optional()
 }).loose();
-const zCredentialOfferObjectDraft14 = z.object({
+const zCredentialOfferObjectDraft14 = z$1.object({
 	credential_issuer: zHttpsUrl,
-	credential_configuration_ids: z.array(z.string()),
-	grants: z.optional(zCredentialOfferGrants)
+	credential_configuration_ids: z$1.array(z$1.string()),
+	grants: z$1.optional(zCredentialOfferGrants)
 }).loose();
-const zCredentialOfferObjectDraft11To14 = z.object({
+const zCredentialOfferObjectDraft11To14 = z$1.object({
 	credential_issuer: zHttpsUrl,
-	credentials: z.array(z.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })),
-	grants: z.optional(z.object({
+	credentials: z$1.array(z$1.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })),
+	grants: z$1.optional(z$1.object({
 		authorization_code: zCredentialOfferGrants.shape.authorization_code,
-		[preAuthorizedCodeGrantIdentifier]: z.object({
-			"pre-authorized_code": z.string(),
-			user_pin_required: z.optional(z.boolean())
+		[preAuthorizedCodeGrantIdentifier]: z$1.object({
+			"pre-authorized_code": z$1.string(),
+			user_pin_required: z$1.optional(z$1.boolean())
 		}).loose().optional()
 	}))
 }).loose().transform(({ credentials, grants, ...rest }) => {
@@ -63,7 +63,7 @@ const zCredentialOfferObjectDraft11To14 = z.object({
 	}
 	return v14;
 }).pipe(zCredentialOfferObjectDraft14);
-const zCredentialOfferObject = z.union([zCredentialOfferObjectDraft14, zCredentialOfferObjectDraft11To14]);
+const zCredentialOfferObject = z$1.union([zCredentialOfferObjectDraft14, zCredentialOfferObjectDraft11To14]);
 //#endregion
 //#region src/credential-offer/credential-offer.ts
@@ -75,7 +75,7 @@ async function resolveCredentialOffer(credentialOffer, options) {
 	let credentialOfferParseResult;
 	if (parsedQueryParams.credential_offer_uri) {
 		const { response, result } = await createZodFetcher(options?.fetch)(zCredentialOfferObject, ContentType.Json, parsedQueryParams.credential_offer_uri);
-		if (!response.ok || !result) throw new InvalidFetchResponseError(`Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccessful response with status '${response.status}'`, await response.clone().text(), response);
+		if (!response.ok || !result) throw new InvalidFetchResponseError$1(`Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccessful response with status '${response.status}'`, await response.clone().text(), response);
 		credentialOfferParseResult = result;
 	} else if (parsedQueryParams.credential_offer) {
 		let credentialOfferJson;
@@ -167,6 +167,15 @@ function getCredentialConfigurationsMatchingRequestFormat({ requestFormat, issue
 	}));
 }
+//#endregion
+//#region src/error/Openid4vciClientInteractiveAuthorizationError.ts
+var Openid4vciClientInteractiveAuthorizationError = class extends Oauth2ClientErrorResponseError {
+	constructor(message, errorResponse, response) {
+		super(message, errorResponse, response);
+		this.errorResponse = errorResponse;
+	}
+};
 //#endregion
 //#region src/error/Openid4vciError.ts
 var Openid4vciError = class extends Error {
@@ -197,31 +206,466 @@ var Openid4vciSendNotificationError = class extends Openid4vciError {
 	}
 };
+//#endregion
+//#region src/interactive-authorization/z-interactive-authorization.ts
+/**
+* Schema for Interactive Authorization Request (initial request)
+*
+* Based on OpenID4VCI 1.1 Interactive Authorization Endpoint
+* Similar to PAR request but sent to interactive_authorization_endpoint
+*/
+const zInteractiveAuthorizationInitialRequest = z.object({
+	...zAuthorizationRequest.omit({ response_type: true }).shape,
+	interaction_types_supported: z.string(),
+	response_type: z.literal("code").default("code")
+}).loose();
+/**
+* Schema for Follow-up Interactive Authorization Request
+*
+* Follow-up requests include auth_session and interaction-specific parameters
+*/
+const zInteractiveAuthorizationFollowUpRequest = z.object({
+	auth_session: z.string(),
+	openid4vp_response: z.optional(z.string()),
+	code_verifier: z.optional(z.string())
+}).loose();
+/**
+* Base schema for Interaction Required Response
+*
+* Contains fields common to all interaction types
+*/
+const zInteractiveAuthorizationInteractionRequiredResponseBase = z.object({
+	status: z.literal("require_interaction"),
+	auth_session: z.string(),
+	expires_in: z.optional(zInteger)
+});
+/**
+* Schema for OpenID4VP Presentation Interaction Response
+*
+* Returned when the Authorization Server requires an OpenID4VP presentation
+*/
+const zInteractiveAuthorizationOpenid4vpPresentationResponse = zInteractiveAuthorizationInteractionRequiredResponseBase.extend({
+	type: z.literal("openid4vp_presentation"),
+	openid4vp_request: z.record(z.string(), z.unknown())
+}).loose();
+/**
+* Schema for Redirect to Web Interaction Response
+*
+* Returned when the Authorization Server requires a browser redirect
+*/
+const zInteractiveAuthorizationRedirectToWebResponse = zInteractiveAuthorizationInteractionRequiredResponseBase.extend({
+	type: z.literal("redirect_to_web"),
+	request_uri: z.string()
+}).loose();
+/**
+* Schema for Interaction Required Response (discriminated union)
+*
+* Returned when the Authorization Server requires additional user interaction.
+* Uses discriminated union on 'type' field for better type inference.
+*/
+const zInteractiveAuthorizationInteractionRequiredResponse = z.discriminatedUnion("type", [zInteractiveAuthorizationOpenid4vpPresentationResponse, zInteractiveAuthorizationRedirectToWebResponse]);
+/**
+* Schema for Authorization Code Response
+*
+* Returned when authorization is successfully completed
+*/
+const zInteractiveAuthorizationCodeResponse = z.object({
+	status: z.literal("ok"),
+	code: z.string()
+}).loose();
+/**
+/**
+* Union type for all possible Interactive Authorization Responses
+*/
+const zInteractiveAuthorizationResponse = z.union([zInteractiveAuthorizationInteractionRequiredResponse, zInteractiveAuthorizationCodeResponse]);
+/**
+* Type guard to check if a request is a JAR Interactive Authorization Request
+*/
+function isInteractiveAuthorizationFollowUpRequest(request) {
+	return request.auth_session !== void 0;
+}
+//#endregion
+//#region src/interactive-authorization/create-interactive-authorization-response.ts
+/**
+* Create a successful Interactive Authorization Code Response
+*
+* This response indicates that the authorization process is complete
+* and returns an authorization code that can be exchanged for an access token.
+*
+* @param options - Response options
+* @returns The authorization code response
+*
+* @example
+* ```ts
+* const response = createInteractiveAuthorizationCodeResponse({
+*   authorizationCode: 'SplxlOBeZQQYbYS6WxSbIA'
+* })
+* ```
+*/
+function createInteractiveAuthorizationCodeResponse(options) {
+	return parseWithErrorHandling(zInteractiveAuthorizationCodeResponse, {
+		status: "ok",
+		code: options.authorizationCode,
+		...options.additionalPayload
+	});
+}
+/**
+* Create an Interactive Authorization Interaction Required Response
+* requesting an OpenID4VP presentation
+*
+* This response indicates that the wallet must present credentials
+* via OpenID4VP before authorization can be granted.
+*
+* @param options - Response options
+* @returns The interaction required response
+*
+* @example With unsigned request
+* ```ts
+* const response = createInteractiveAuthorizationOpenid4vpInteraction({
+*   authSession: 'session-123',
+*   openid4vpRequest: {
+*     response_type: 'vp_token',
+*     response_mode: 'iae_post',
+*     nonce: 'n-0S6_WzA2Mj',
+*     dcql_query: { ... }
+*   }
+* })
+* ```
+*
+* @example With signed request
+* ```ts
+* const response = createInteractiveAuthorizationOpenid4vpInteraction({
+*   authSession: 'session-123',
+*   openid4vpRequest: {
+*     request: 'eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...'
+*   }
+* })
+* ```
+*/
+function createInteractiveAuthorizationOpenid4vpInteraction(options) {
+	return parseWithErrorHandling(zInteractiveAuthorizationInteractionRequiredResponse, {
+		status: "require_interaction",
+		type: "openid4vp_presentation",
+		auth_session: options.authSession,
+		openid4vp_request: options.openid4vpRequest,
+		...options.additionalPayload
+	});
+}
+/**
+* Create an Interactive Authorization Interaction Required Response
+* requesting a redirect to web
+*
+* This response indicates that the authorization process must continue
+* via interactions with the user in a web browser.
+*
+* @param options - Response options
+* @returns The interaction required response
+*
+* @example
+* ```ts
+* const response = createInteractiveAuthorizationRedirectToWebInteraction({
+*   authSession: 'session-123',
+*   requestUri: 'urn:ietf:params:oauth:request_uri:6esc_11ACC5bwc014ltc14eY22c',
+*   expiresIn: 60
+* })
+* ```
+*/
+function createInteractiveAuthorizationRedirectToWebInteraction(options) {
+	return parseWithErrorHandling(zInteractiveAuthorizationInteractionRequiredResponse, {
+		status: "require_interaction",
+		type: "redirect_to_web",
+		auth_session: options.authSession,
+		request_uri: options.requestUri,
+		expires_in: options.expiresIn,
+		...options.additionalPayload
+	});
+}
+/**
+* Create an Interactive Authorization Error Response
+*
+* This response indicates that an error occurred during the authorization process.
+*
+* @param options - Error response options
+* @returns The error response
+*
+* @example
+* ```ts
+* const response = createInteractiveAuthorizationErrorResponse({
+*   error: 'missing_interaction_type',
+*   errorDescription: 'interaction_types_supported is missing openid4vp_presentation'
+* })
+* ```
+*/
+function createInteractiveAuthorizationErrorResponse(options) {
+	return parseWithErrorHandling(zOauth2ErrorResponse, {
+		error: options.error,
+		error_description: options.errorDescription,
+		error_uri: options.errorUri,
+		...options.additionalPayload
+	});
+}
+//#endregion
+//#region src/interactive-authorization/parse-interactive-authorization-request.ts
+let InteractiveAuthorizationRequestType = /* @__PURE__ */ function(InteractiveAuthorizationRequestType$1) {
+	InteractiveAuthorizationRequestType$1["Initial"] = "Initial";
+	InteractiveAuthorizationRequestType$1["FollowUp"] = "FollowUp";
+	return InteractiveAuthorizationRequestType$1;
+}({});
+/**
+* Parse an Interactive Authorization Request
+*
+* This function parses and validates an Interactive Authorization Endpoint request.
+* It automatically detects whether this is an initial request, a follow-up request,
+* or a JAR (JWT-secured) request based on the parameters present.
+*
+* @param options - Parsing options
+* @returns The parsed request and metadata
+* @throws {Oauth2ServerErrorResponseError} if validation fails
+*
+* @example Parse initial request
+* ```ts
+* const { interactiveAuthorizationRequest, isFollowUpRequest } = await parseInteractiveAuthorizationRequest({
+*   request: req,
+*   interactiveAuthorizationRequest: req.body,
+*   callbacks: { fetch }
+* })
+* // isFollowUpRequest = false
+* ```
+*
+* @example Parse follow-up request
+* ```ts
+* const { interactiveAuthorizationRequest, isFollowUpRequest } = await parseInteractiveAuthorizationRequest({
+*   request: req,
+*   interactiveAuthorizationRequest: req.body,
+*   callbacks: { fetch }
+* })
+* // isFollowUpRequest = true
+* ```
+*
+* @example Parse JAR request
+* ```ts
+* const { interactiveAuthorizationRequest, interactiveAuthorizationRequestJwt } = await parseInteractiveAuthorizationRequest({
+*   request: req,
+*   interactiveAuthorizationRequest: req.body,
+*   callbacks: { fetch }
+* })
+* // interactiveAuthorizationRequestJwt contains the signed JWT
+* ```
+*/
+async function parseInteractiveAuthorizationRequest(options) {
+	const parsed = parseWithErrorHandling(z$1.union([
+		zInteractiveAuthorizationInitialRequest,
+		zInteractiveAuthorizationFollowUpRequest,
+		zJarAuthorizationRequest
+	]), options.interactiveAuthorizationRequest, "Invalid interactive authorization request. Could not parse as initial request, follow-up request, or JAR request.");
+	if (isInteractiveAuthorizationFollowUpRequest(parsed)) return {
+		type: InteractiveAuthorizationRequestType.FollowUp,
+		interactiveAuthorizationRequest: parsed
+	};
+	let interactiveAuthorizationRequest;
+	let interactiveAuthorizationRequestJwt;
+	if (isJarAuthorizationRequest(parsed)) {
+		const parsedJar = await parseJarRequest({
+			jarRequestParams: parsed,
+			callbacks: options.callbacks
+		});
+		const jwt = decodeJwt({ jwt: parsedJar.authorizationRequestJwt });
+		const parsedInteractiveAuthorizationRequest = zInteractiveAuthorizationInitialRequest.safeParse(jwt.payload);
+		if (!parsedInteractiveAuthorizationRequest.success) throw new Oauth2ServerErrorResponseError({
+			error: Oauth2ErrorCodes.InvalidRequest,
+			error_description: `Invalid interactive authorization request. Could not parse JAR request payload.\n${formatZodError(parsedInteractiveAuthorizationRequest.error)}`
+		});
+		interactiveAuthorizationRequestJwt = parsedJar.authorizationRequestJwt;
+		interactiveAuthorizationRequest = parsedInteractiveAuthorizationRequest.data;
+	} else interactiveAuthorizationRequest = parsed;
+	const { clientAttestation, dpop } = parseAuthorizationRequest({
+		authorizationRequest: interactiveAuthorizationRequest,
+		request: options.request
+	});
+	return {
+		type: InteractiveAuthorizationRequestType.Initial,
+		interactiveAuthorizationRequest,
+		interactiveAuthorizationRequestJwt,
+		dpop,
+		clientAttestation,
+		interactionTypesSupported: interactiveAuthorizationRequest.interaction_types_supported.split(",")
+	};
+}
+//#endregion
+//#region src/interactive-authorization/send-interactive-authorization-request.ts
+/**
+* Send an Interactive Authorization Request to the Authorization Server
+*
+* Implements the Interactive Authorization Endpoint flow from OpenID4VCI 1.1.
+* This endpoint enables complex authentication and authorization flows where
+* interaction occurs directly with the Wallet rather than being intermediated
+* by a browser.
+*
+* The request can be either:
+* - Initial request: Contains authorization parameters and interaction_types_supported
+* - Follow-up request: Contains auth_session and interaction-specific parameters
+*
+* @param options - Configuration options for the request
+* @returns The interactive authorization response and updated DPoP config
+* @throws {Oauth2Error} if the authorization server doesn't support interactive authorization
+* @throws {Openid4vciClientInteractiveAuthorizationError} if the request failed and an error response is returned
+* @throws {InvalidFetchResponseError} if the request failed but no error response could be parsed
+* @throws {ValidationError} if a successful response was received but an error occurred during verification
+*
+* @example Initial request
+* ```ts
+* const result = await sendInteractiveAuthorizationRequest({
+*   callbacks,
+*   authorizationServerMetadata,
+*   request: {
+*     response_type: 'code',
+*     client_id: 'my-client',
+*     interaction_types_supported: 'openid4vp_presentation,redirect_to_web',
+*     authorization_details: [...]
+*   }
+* })
+* ```
+*
+* @example Follow-up request with OpenID4VP response
+* ```ts
+* const result = await sendInteractiveAuthorizationRequest({
+*   callbacks,
+*   authorizationServerMetadata,
+*   request: {
+*     auth_session: 'session-123',
+*     openid4vp_response: JSON.stringify({ vp_token: '...' })
+*   }
+* })
+* ```
+*/
+async function sendInteractiveAuthorizationRequest(options) {
+	const fetchWithZod = createZodFetcher(options.callbacks.fetch);
+	const authorizationServerMetadata = options.authorizationServerMetadata;
+	const interactiveAuthorizationEndpoint = authorizationServerMetadata.interactive_authorization_endpoint;
+	if (!interactiveAuthorizationEndpoint) throw new Oauth2Error(`Unable to send interactive authorization request. Authorization server '${authorizationServerMetadata.issuer}' has no 'interactive_authorization_endpoint'`);
+	const interactiveAuthorizationRequest = options.request.auth_session ? parseWithErrorHandling(zInteractiveAuthorizationFollowUpRequest, options.request, "Invalid interactive authorization follow-up request") : parseWithErrorHandling(zInteractiveAuthorizationInitialRequest, options.request, "Invalid interactive authorization request");
+	return authorizationServerRequestWithDpopRetry({
+		dpop: options.dpop,
+		request: async (dpop) => {
+			const headers = new Headers({
+				...dpop ? await createDpopHeadersForRequest({
+					request: {
+						method: "POST",
+						url: interactiveAuthorizationEndpoint
+					},
+					signer: dpop.signer,
+					callbacks: options.callbacks,
+					nonce: dpop.nonce
+				}) : void 0,
+				...options.additionalHeaders,
+				"Content-Type": ContentType.XWwwFormUrlencoded
+			});
+			const { response, result } = await fetchWithZod(zInteractiveAuthorizationResponse, ContentType.Json, interactiveAuthorizationEndpoint, {
+				method: "POST",
+				body: objectToQueryParams(interactiveAuthorizationRequest).toString(),
+				headers
+			});
+			if (!response.ok || !result) {
+				const interactiveAuthorizationErrorResponse = zOauth2ErrorResponse.safeParse(await response.clone().json().catch(() => null));
+				if (interactiveAuthorizationErrorResponse.success) throw new Openid4vciClientInteractiveAuthorizationError(`Error requesting authorization from interactive authorization endpoint '${authorizationServerMetadata.interactive_authorization_endpoint}'. Received response with status ${response.status}`, interactiveAuthorizationErrorResponse.data, response);
+				throw new InvalidFetchResponseError(`Error requesting authorization from interactive authorization endpoint '${authorizationServerMetadata.interactive_authorization_endpoint}'. Received response with status ${response.status}`, await response.clone().text(), response);
+			}
+			if (!result.success) throw new ValidationError("Error validating interactive authorization response", result.error);
+			const dpopNonce = extractDpopNonceFromHeaders(response.headers) ?? void 0;
+			return {
+				interactiveAuthorizationResponse: result.data,
+				dpop: dpop ? {
+					...dpop,
+					nonce: dpopNonce
+				} : void 0
+			};
+		}
+	});
+}
+//#endregion
+//#region src/interactive-authorization/verify-interactive-authorization-request.ts
+/**
+* Verify an initial (possibly signed) Interactive Authorization Request
+*
+* This function verifies the interactive authorization request including:
+* - JAR (JWT-secured Authorization Request) signature verification (if present)
+* - Client attestation (if present)
+* - DPoP binding (if present)
+* - Authorization request parameters
+*
+* @param options - Verification options
+* @returns Verification result with client attestation and DPoP info
+*
+* @example Verify initial request
+* ```ts
+* const result = await verifyInteractiveAuthorizationInitialRequest({
+*   interactiveAuthorizationRequest: request,
+*   authorizationServerMetadata,
+*   callbacks: { fetch, verifyJwt }
+* })
+* ```
+*
+* @example Verify JAR request
+* ```ts
+* const result = await verifyInteractiveAuthorizationInitialRequest({
+*   interactiveAuthorizationRequest: jarRequest,
+*   interactiveAuthorizationRequestJwt: jwt,
+*   jwtSigner: { ... },
+*   authorizationServerMetadata,
+*   callbacks: { fetch, verifyJwt }
+* })
+* ```
+*/
+async function verifyInteractiveAuthorizationInitialRequest(options) {
+	let jar;
+	if (options.interactiveAuthorizationRequestJwt) jar = await verifyJarRequest({
+		authorizationRequestJwt: options.interactiveAuthorizationRequestJwt.jwt,
+		jarRequestParams: options.interactiveAuthorizationRequest,
+		callbacks: options.callbacks,
+		jwtSigner: options.interactiveAuthorizationRequestJwt.signer
+	});
+	const { clientAttestation, dpop } = await verifyAuthorizationRequest({
+		...options,
+		authorizationRequest: options.interactiveAuthorizationRequest
+	});
+	return {
+		dpop,
+		clientAttestation,
+		jar
+	};
+}
 //#endregion
 //#region src/key-attestation/z-key-attestation.ts
-const zKeyAttestationJwtHeader = z.object({
+const zKeyAttestationJwtHeader = z$1.object({
 	...zJwtHeader.shape,
-	typ: z.literal("keyattestation+jwt").or(z.literal("key-attestation+jwt"))
+	typ: z$1.literal("keyattestation+jwt").or(z$1.literal("key-attestation+jwt"))
 }).loose().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, { message: `Both 'jwk' and 'kid' are defined. Only one is allowed` }).refine(({ trust_chain, kid }) => !trust_chain || !kid, { message: `When 'trust_chain' is provided, 'kid' is required` });
-const zIso18045 = z.enum([
+const zIso18045 = z$1.enum([
 	"iso_18045_high",
 	"iso_18045_moderate",
 	"iso_18045_enhanced-basic",
 	"iso_18045_basic"
 ]);
-const zIso18045OrStringArray = z.array(z.union([zIso18045, z.string()]));
-const zKeyAttestationJwtPayload = z.object({
+const zIso18045OrStringArray = z$1.array(z$1.union([zIso18045, z$1.string()]));
+const zKeyAttestationJwtPayload = z$1.object({
 	...zJwtPayload.shape,
 	iat: zNumericDate,
-	attested_keys: z.array(zJwk),
-	key_storage: z.optional(zIso18045OrStringArray),
-	user_authentication: z.optional(zIso18045OrStringArray),
-	certification: z.optional(z.url())
+	attested_keys: z$1.array(zJwk),
+	key_storage: z$1.optional(zIso18045OrStringArray),
+	user_authentication: z$1.optional(zIso18045OrStringArray),
+	certification: z$1.optional(z$1.url())
 }).loose();
-const zKeyAttestationJwtPayloadForUse = (use) => z.object({
+const zKeyAttestationJwtPayloadForUse = (use) => z$1.object({
 	...zKeyAttestationJwtPayload.shape,
-	nonce: use === "proof_type.attestation" ? z.string({ message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly` }) : z.optional(z.string()),
-	exp: use === "proof_type.jwt" ? zNumericDate : z.optional(zNumericDate)
+	nonce: use === "proof_type.attestation" ? z$1.string({ message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly` }) : z$1.optional(z$1.string()),
+	exp: use === "proof_type.jwt" ? zNumericDate : z$1.optional(zNumericDate)
 }).loose();
 //#endregion
@@ -283,124 +727,124 @@ async function verifyKeyAttestationJwt(options) {
 //#endregion
 //#region src/metadata/credential-issuer/z-claims-description.ts
-const zCredentialConfigurationSupportedClaimsDescriptionDraft14 = z.object({
-	mandatory: z.boolean().optional(),
-	value_type: z.string().optional(),
-	display: z.array(z.object({
-		name: z.string().optional(),
-		locale: z.string().optional()
+const zCredentialConfigurationSupportedClaimsDescriptionDraft14 = z$1.object({
+	mandatory: z$1.boolean().optional(),
+	value_type: z$1.string().optional(),
+	display: z$1.array(z$1.object({
+		name: z$1.string().optional(),
+		locale: z$1.string().optional()
 	}).loose()).optional()
 }).loose();
-const zCredentialConfigurationSupportedClaimsDraft14 = z.record(z.string(), z.union([zCredentialConfigurationSupportedClaimsDescriptionDraft14, z.lazy(() => zCredentialConfigurationSupportedClaimsDraft14)]));
-const zClaimDescriptionPathValue = z.union([
-	z.string(),
-	z.number().int().nonnegative(),
-	z.null()
+const zCredentialConfigurationSupportedClaimsDraft14 = z$1.record(z$1.string(), z$1.union([zCredentialConfigurationSupportedClaimsDescriptionDraft14, z$1.lazy(() => zCredentialConfigurationSupportedClaimsDraft14)]));
+const zClaimDescriptionPathValue = z$1.union([
+	z$1.string(),
+	z$1.number().int().nonnegative(),
+	z$1.null()
 ]);
-const zClaimsDescriptionPath = z.tuple([zClaimDescriptionPathValue], zClaimDescriptionPathValue);
-const zMsoMdocClaimsDescriptionPath = z.tuple([z.string(), z.string()], zClaimDescriptionPathValue, { message: "mso_mdoc claims description path MUST be an array with at least two string elements, pointing to the namespace and element identifier within an mdoc credential" });
-const zIssuerMetadataClaimsDescription = z.object({
+const zClaimsDescriptionPath = z$1.tuple([zClaimDescriptionPathValue], zClaimDescriptionPathValue);
+const zMsoMdocClaimsDescriptionPath = z$1.tuple([z$1.string(), z$1.string()], zClaimDescriptionPathValue, { message: "mso_mdoc claims description path MUST be an array with at least two string elements, pointing to the namespace and element identifier within an mdoc credential" });
+const zIssuerMetadataClaimsDescription = z$1.object({
 	path: zClaimsDescriptionPath,
-	mandatory: z.boolean().optional(),
-	display: z.array(z.object({
-		name: z.string().optional(),
-		locale: z.string().optional()
+	mandatory: z$1.boolean().optional(),
+	display: z$1.array(z$1.object({
+		name: z$1.string().optional(),
+		locale: z$1.string().optional()
 	}).loose()).optional()
 }).loose();
 const zMsoMdocIssuerMetadataClaimsDescription = zIssuerMetadataClaimsDescription.extend({ path: zMsoMdocClaimsDescriptionPath });
 //#endregion
 //#region src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
-const zCredentialConfigurationSupportedDisplayEntry = z.object({
-	name: z.string(),
-	locale: z.string().optional(),
-	logo: z.object({
+const zCredentialConfigurationSupportedDisplayEntry = z$1.object({
+	name: z$1.string(),
+	locale: z$1.string().optional(),
+	logo: z$1.object({
 		uri: zHttpsUrl.or(zDataUrl).optional(),
-		alt_text: z.string().optional()
+		alt_text: z$1.string().optional()
 	}).loose().optional(),
-	description: z.string().optional(),
-	background_color: z.string().optional(),
-	background_image: z.object({ uri: zHttpsUrl.or(zDataUrl).optional() }).loose().optional(),
-	text_color: z.string().optional()
+	description: z$1.string().optional(),
+	background_color: z$1.string().optional(),
+	background_image: z$1.object({ uri: zHttpsUrl.or(zDataUrl).optional() }).loose().optional(),
+	text_color: z$1.string().optional()
 }).loose();
-const zCredentialConfigurationSupportedCommonCredentialMetadata = z.object({ display: z.array(zCredentialConfigurationSupportedDisplayEntry).optional() }).loose();
-const zCredentialConfigurationSupportedCommon = z.object({
-	format: z.string(),
-	scope: z.string().optional(),
-	cryptographic_binding_methods_supported: z.array(z.string()).optional(),
-	credential_signing_alg_values_supported: z.array(z.string()).or(z.array(z.number())).optional(),
-	proof_types_supported: z.record(z.union([
-		z.literal("jwt"),
-		z.literal("attestation"),
-		z.string()
-	]), z.object({
-		proof_signing_alg_values_supported: z.array(z.string()),
-		key_attestations_required: z.object({
+const zCredentialConfigurationSupportedCommonCredentialMetadata = z$1.object({ display: z$1.array(zCredentialConfigurationSupportedDisplayEntry).optional() }).loose();
+const zCredentialConfigurationSupportedCommon = z$1.object({
+	format: z$1.string(),
+	scope: z$1.string().optional(),
+	cryptographic_binding_methods_supported: z$1.array(z$1.string()).optional(),
+	credential_signing_alg_values_supported: z$1.array(z$1.string()).or(z$1.array(z$1.number())).optional(),
+	proof_types_supported: z$1.record(z$1.union([
+		z$1.literal("jwt"),
+		z$1.literal("attestation"),
+		z$1.string()
+	]), z$1.object({
+		proof_signing_alg_values_supported: z$1.array(z$1.string()),
+		key_attestations_required: z$1.object({
 			key_storage: zIso18045OrStringArray.optional(),
 			user_authentication: zIso18045OrStringArray.optional()
 		}).loose().optional()
 	})).optional(),
 	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.optional()
 }).loose();
-const zCredentialConfigurationSupportedCommonDraft15 = z.object({
-	format: z.string(),
-	scope: z.string().optional(),
-	cryptographic_binding_methods_supported: z.array(z.string()).optional(),
-	credential_signing_alg_values_supported: z.array(z.string()).optional(),
-	proof_types_supported: z.record(z.union([
-		z.literal("jwt"),
-		z.literal("attestation"),
-		z.string()
-	]), z.object({
-		proof_signing_alg_values_supported: z.array(z.string()),
-		key_attestations_required: z.object({
+const zCredentialConfigurationSupportedCommonDraft15 = z$1.object({
+	format: z$1.string(),
+	scope: z$1.string().optional(),
+	cryptographic_binding_methods_supported: z$1.array(z$1.string()).optional(),
+	credential_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	proof_types_supported: z$1.record(z$1.union([
+		z$1.literal("jwt"),
+		z$1.literal("attestation"),
+		z$1.string()
+	]), z$1.object({
+		proof_signing_alg_values_supported: z$1.array(z$1.string()),
+		key_attestations_required: z$1.object({
 			key_storage: zIso18045OrStringArray.optional(),
 			user_authentication: zIso18045OrStringArray.optional()
 		}).loose().optional()
 	})).optional(),
-	display: z.array(zCredentialConfigurationSupportedDisplayEntry).optional(),
-	credential_metadata: z.optional(z.never())
+	display: z$1.array(zCredentialConfigurationSupportedDisplayEntry).optional(),
+	credential_metadata: z$1.optional(z$1.never())
 }).loose();
 //#endregion
 //#region src/formats/credential/mso-mdoc/z-mso-mdoc.ts
-const zMsoMdocFormatIdentifier = z.literal("mso_mdoc");
+const zMsoMdocFormatIdentifier = z$1.literal("mso_mdoc");
 const zMsoMdocCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
 	format: zMsoMdocFormatIdentifier,
-	doctype: z.string(),
-	credential_signing_alg_values_supported: z.array(z.number()).optional(),
-	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z.array(zMsoMdocIssuerMetadataClaimsDescription).optional() }).optional()
+	doctype: z$1.string(),
+	credential_signing_alg_values_supported: z$1.array(z$1.number()).optional(),
+	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z$1.array(zMsoMdocIssuerMetadataClaimsDescription).optional() }).optional()
 });
 const zMsoMdocCredentialIssuerMetadataDraft15 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zMsoMdocFormatIdentifier,
-	doctype: z.string(),
-	claims: z.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
+	doctype: z$1.string(),
+	claims: z$1.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
 });
 const zMsoMdocCredentialIssuerMetadataDraft14 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zMsoMdocFormatIdentifier,
-	doctype: z.string(),
+	doctype: z$1.string(),
 	claims: zCredentialConfigurationSupportedClaimsDraft14.optional(),
-	order: z.optional(z.array(z.string()))
+	order: z$1.optional(z$1.array(z$1.string()))
 });
-const zMsoMdocCredentialRequestFormatDraft14 = z.object({
+const zMsoMdocCredentialRequestFormatDraft14 = z$1.object({
 	format: zMsoMdocFormatIdentifier,
-	doctype: z.string(),
+	doctype: z$1.string(),
 	claims: zCredentialConfigurationSupportedClaimsDraft14.optional()
 });
 //#endregion
 //#region src/formats/credential/sd-jwt-dc/z-sd-jwt-dc.ts
-const zSdJwtDcFormatIdentifier = z.literal("dc+sd-jwt");
+const zSdJwtDcFormatIdentifier = z$1.literal("dc+sd-jwt");
 const zSdJwtDcCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
-	vct: z.string(),
+	vct: z$1.string(),
 	format: zSdJwtDcFormatIdentifier,
-	credential_signing_alg_values_supported: z.array(z.string()).optional(),
-	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z.array(zIssuerMetadataClaimsDescription).optional() }).optional()
+	credential_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z$1.array(zIssuerMetadataClaimsDescription).optional() }).optional()
 });
 const zSdJwtDcCredentialIssuerMetadataDraft15 = zCredentialConfigurationSupportedCommonDraft15.extend({
-	vct: z.string(),
+	vct: z$1.string(),
 	format: zSdJwtDcFormatIdentifier,
-	claims: z.array(zIssuerMetadataClaimsDescription).optional()
+	claims: z$1.array(zIssuerMetadataClaimsDescription).optional()
 });
 //#endregion
@@ -410,19 +854,19 @@ const zSdJwtDcCredentialIssuerMetadataDraft15 = zCredentialConfigurationSupporte
 * of the OpenID for Verifiable Presentations specification. Please update your
 * implementations accordingly.
 */
-const zLegacySdJwtVcFormatIdentifier = z.literal("vc+sd-jwt");
+const zLegacySdJwtVcFormatIdentifier = z$1.literal("vc+sd-jwt");
 /**
 * @deprecated format has been deprecated in favor of "dc+sd-jwt" since Draft 23
 * of the OpenID for Verifiable Presentations specification. Please update your
 * implementations accordingly.
 */
 const zLegacySdJwtVcCredentialIssuerMetadataV1 = zCredentialConfigurationSupportedCommon.extend({
-	vct: z.string(),
+	vct: z$1.string(),
 	format: zLegacySdJwtVcFormatIdentifier,
-	order: z.optional(z.array(z.string())),
-	credential_signing_alg_values_supported: z.array(z.string()).optional(),
-	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z.array(zIssuerMetadataClaimsDescription).optional() }).optional(),
-	credential_definition: z.optional(z.never())
+	order: z$1.optional(z$1.array(z$1.string())),
+	credential_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z$1.array(zIssuerMetadataClaimsDescription).optional() }).optional(),
+	credential_definition: z$1.optional(z$1.never())
 });
 /**
 * @deprecated format has been deprecated in favor of "dc+sd-jwt" since Draft 23
@@ -430,71 +874,71 @@ const zLegacySdJwtVcCredentialIssuerMetadataV1 = zCredentialConfigurationSupport
 * implementations accordingly.
 */
 const zLegacySdJwtVcCredentialIssuerMetadataDraft14 = zCredentialConfigurationSupportedCommonDraft15.extend({
-	vct: z.string(),
+	vct: z$1.string(),
 	format: zLegacySdJwtVcFormatIdentifier,
-	claims: z.optional(zCredentialConfigurationSupportedClaimsDraft14),
-	order: z.optional(z.array(z.string())),
-	credential_definition: z.optional(z.never())
+	claims: z$1.optional(zCredentialConfigurationSupportedClaimsDraft14),
+	order: z$1.optional(z$1.array(z$1.string())),
+	credential_definition: z$1.optional(z$1.never())
 });
 /**
 * @deprecated format has been deprecated in favor of "dc+sd-jwt" since Draft 23
 * of the OpenID for Verifiable Presentations specification. Please update your
 * implementations accordingly.
 */
-const zLegacySdJwtVcCredentialRequestFormatDraft14 = z.object({
+const zLegacySdJwtVcCredentialRequestFormatDraft14 = z$1.object({
 	format: zLegacySdJwtVcFormatIdentifier,
-	vct: z.string(),
-	claims: z.optional(zCredentialConfigurationSupportedClaimsDraft14),
-	credential_definition: z.optional(z.never())
+	vct: z$1.string(),
+	claims: z$1.optional(zCredentialConfigurationSupportedClaimsDraft14),
+	credential_definition: z$1.optional(z$1.never())
 });
 //#endregion
 //#region src/formats/credential/w3c-vc/z-w3c-vc-common.ts
-const zCredentialSubjectLeafTypeDraft14 = z.object({
-	mandatory: z.boolean().optional(),
-	value_type: z.string().optional(),
-	display: z.array(z.object({
-		name: z.string().optional(),
-		locale: z.string().optional()
+const zCredentialSubjectLeafTypeDraft14 = z$1.object({
+	mandatory: z$1.boolean().optional(),
+	value_type: z$1.string().optional(),
+	display: z$1.array(z$1.object({
+		name: z$1.string().optional(),
+		locale: z$1.string().optional()
 	}).loose()).optional()
 }).loose();
-const zClaimValueSchemaDraft14 = z.union([
-	z.array(z.any()),
-	z.record(z.string(), z.any()),
+const zClaimValueSchemaDraft14 = z$1.union([
+	z$1.array(z$1.any()),
+	z$1.record(z$1.string(), z$1.any()),
 	zCredentialSubjectLeafTypeDraft14
 ]);
-const zW3cVcCredentialSubjectDraft14 = z.record(z.string(), zClaimValueSchemaDraft14);
-const zW3cVcJsonLdCredentialDefinition = z.object({
-	"@context": z.array(z.string()),
-	type: z.tuple([z.string()], z.string())
+const zW3cVcCredentialSubjectDraft14 = z$1.record(z$1.string(), zClaimValueSchemaDraft14);
+const zW3cVcJsonLdCredentialDefinition = z$1.object({
+	"@context": z$1.array(z$1.string()),
+	type: z$1.tuple([z$1.string()], z$1.string())
 }).loose();
 const zW3cVcJsonLdCredentialDefinitionDraft14 = zW3cVcJsonLdCredentialDefinition.extend({ credentialSubject: zW3cVcCredentialSubjectDraft14.optional() });
 //#endregion
 //#region src/formats/credential/w3c-vc/z-w3c-jwt-vc-json.ts
-const zJwtVcJsonFormatIdentifier = z.literal("jwt_vc_json");
-const zJwtVcJsonCredentialDefinition = z.object({ type: z.tuple([z.string()], z.string()) }).loose();
+const zJwtVcJsonFormatIdentifier = z$1.literal("jwt_vc_json");
+const zJwtVcJsonCredentialDefinition = z$1.object({ type: z$1.tuple([z$1.string()], z$1.string()) }).loose();
 const zJwtVcJsonCredentialDefinitionDraft14 = zJwtVcJsonCredentialDefinition.extend({ credentialSubject: zW3cVcCredentialSubjectDraft14.optional() });
 const zJwtVcJsonCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
 	format: zJwtVcJsonFormatIdentifier,
 	credential_definition: zJwtVcJsonCredentialDefinition,
-	credential_signing_alg_values_supported: z.array(z.string()).optional(),
-	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z.array(zIssuerMetadataClaimsDescription).optional() }).optional()
+	credential_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z$1.array(zIssuerMetadataClaimsDescription).optional() }).optional()
 });
 const zJwtVcJsonCredentialIssuerMetadataDraft15 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zJwtVcJsonFormatIdentifier,
 	credential_definition: zJwtVcJsonCredentialDefinition,
-	claims: z.array(zIssuerMetadataClaimsDescription).optional()
+	claims: z$1.array(zIssuerMetadataClaimsDescription).optional()
 });
 const zJwtVcJsonCredentialIssuerMetadataDraft14 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zJwtVcJsonFormatIdentifier,
 	credential_definition: zJwtVcJsonCredentialDefinitionDraft14,
-	order: z.array(z.string()).optional()
+	order: z$1.array(z$1.string()).optional()
 });
-const zJwtVcJsonCredentialIssuerMetadataDraft11 = z.object({
+const zJwtVcJsonCredentialIssuerMetadataDraft11 = z$1.object({
 	format: zJwtVcJsonFormatIdentifier,
-	order: z.array(z.string()).optional(),
-	types: z.tuple([z.string()], z.string()),
+	order: z$1.array(z$1.string()).optional(),
+	types: z$1.tuple([z$1.string()], z$1.string()),
 	credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).loose();
 const zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMetadataDraft11.transform(({ types, credentialSubject, ...rest }) => ({
@@ -509,14 +953,14 @@ const zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuer
 	types: type,
 	...credentialDefinition
 })).pipe(zJwtVcJsonCredentialIssuerMetadataDraft11);
-const zJwtVcJsonCredentialRequestFormatDraft14 = z.object({
+const zJwtVcJsonCredentialRequestFormatDraft14 = z$1.object({
 	format: zJwtVcJsonFormatIdentifier,
 	credential_definition: zJwtVcJsonCredentialDefinition
 });
-const zJwtVcJsonCredentialRequestDraft11 = z.object({
+const zJwtVcJsonCredentialRequestDraft11 = z$1.object({
 	format: zJwtVcJsonFormatIdentifier,
-	types: z.tuple([z.string()], z.string()),
-	credentialSubject: z.optional(zW3cVcCredentialSubjectDraft14)
+	types: z$1.tuple([z$1.string()], z$1.string()),
+	credentialSubject: z$1.optional(zW3cVcCredentialSubjectDraft14)
 }).loose();
 const zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.transform(({ types, credentialSubject, ...rest }) => {
 	return {
@@ -535,28 +979,28 @@ const zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormat
 //#endregion
 //#region src/formats/credential/w3c-vc/z-w3c-jwt-vc-json-ld.ts
-const zJwtVcJsonLdFormatIdentifier = z.literal("jwt_vc_json-ld");
+const zJwtVcJsonLdFormatIdentifier = z$1.literal("jwt_vc_json-ld");
 const zJwtVcJsonLdCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
 	format: zJwtVcJsonLdFormatIdentifier,
 	credential_definition: zW3cVcJsonLdCredentialDefinition,
-	credential_signing_alg_values_supported: z.array(z.string()).optional(),
-	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z.array(zIssuerMetadataClaimsDescription).optional() }).optional()
+	credential_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z$1.array(zIssuerMetadataClaimsDescription).optional() }).optional()
 });
 const zJwtVcJsonLdCredentialIssuerMetadataDraft15 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zJwtVcJsonLdFormatIdentifier,
 	credential_definition: zW3cVcJsonLdCredentialDefinition,
-	claims: z.array(zIssuerMetadataClaimsDescription).optional()
+	claims: z$1.array(zIssuerMetadataClaimsDescription).optional()
 });
 const zJwtVcJsonLdCredentialIssuerMetadataDraft14 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zJwtVcJsonLdFormatIdentifier,
 	credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
-	order: z.optional(z.array(z.string()))
+	order: z$1.optional(z$1.array(z$1.string()))
 });
-const zJwtVcJsonLdCredentialIssuerMetadataDraft11 = z.object({
-	order: z.array(z.string()).optional(),
+const zJwtVcJsonLdCredentialIssuerMetadataDraft11 = z$1.object({
+	order: z$1.array(z$1.string()).optional(),
 	format: zJwtVcJsonLdFormatIdentifier,
-	"@context": z.array(z.string()),
-	types: z.tuple([z.string()], z.string()),
+	"@context": z$1.array(z$1.string()),
+	types: z$1.tuple([z$1.string()], z$1.string()),
 	credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).loose();
 const zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssuerMetadataDraft11.transform(({ "@context": context, types, credentialSubject, ...rest }) => ({
@@ -572,16 +1016,16 @@ const zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIs
 	...credentialDefinition,
 	types: type
 })).pipe(zJwtVcJsonLdCredentialIssuerMetadataDraft11);
-const zJwtVcJsonLdCredentialRequestFormatDraft14 = z.object({
+const zJwtVcJsonLdCredentialRequestFormatDraft14 = z$1.object({
 	format: zJwtVcJsonLdFormatIdentifier,
 	credential_definition: zW3cVcJsonLdCredentialDefinition
 });
-const zJwtVcJsonLdCredentialRequestDraft11 = z.object({
+const zJwtVcJsonLdCredentialRequestDraft11 = z$1.object({
 	format: zJwtVcJsonLdFormatIdentifier,
-	credential_definition: z.object({
-		"@context": z.array(z.string()),
-		types: z.tuple([z.string()], z.string()),
-		credentialSubject: z.optional(zW3cVcCredentialSubjectDraft14)
+	credential_definition: z$1.object({
+		"@context": z$1.array(z$1.string()),
+		types: z$1.tuple([z$1.string()], z$1.string()),
+		credentialSubject: z$1.optional(zW3cVcCredentialSubjectDraft14)
 	}).loose()
 }).loose();
 const zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraft11.transform(({ credential_definition: { types, ...restCredentialDefinition }, ...rest }) => ({
@@ -601,28 +1045,28 @@ const zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestFo
 //#endregion
 //#region src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
-const zLdpVcFormatIdentifier = z.literal("ldp_vc");
+const zLdpVcFormatIdentifier = z$1.literal("ldp_vc");
 const zLdpVcCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
 	format: zLdpVcFormatIdentifier,
 	credential_definition: zW3cVcJsonLdCredentialDefinition,
-	credential_signing_alg_values_supported: z.array(z.string()).optional(),
-	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z.array(zIssuerMetadataClaimsDescription).optional() }).optional()
+	credential_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z$1.array(zIssuerMetadataClaimsDescription).optional() }).optional()
 });
 const zLdpVcCredentialIssuerMetadataDraft15 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zLdpVcFormatIdentifier,
 	credential_definition: zW3cVcJsonLdCredentialDefinition,
-	claims: z.array(zIssuerMetadataClaimsDescription).optional()
+	claims: z$1.array(zIssuerMetadataClaimsDescription).optional()
 });
 const zLdpVcCredentialIssuerMetadataDraft14 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zLdpVcFormatIdentifier,
 	credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
-	order: z.array(z.string()).optional()
+	order: z$1.array(z$1.string()).optional()
 });
-const zLdpVcCredentialIssuerMetadataDraft11 = z.object({
-	order: z.array(z.string()).optional(),
+const zLdpVcCredentialIssuerMetadataDraft11 = z$1.object({
+	order: z$1.array(z$1.string()).optional(),
 	format: zLdpVcFormatIdentifier,
-	"@context": z.array(z.string()),
-	types: z.tuple([z.string()], z.string()),
+	"@context": z$1.array(z$1.string()),
+	types: z$1.tuple([z$1.string()], z$1.string()),
 	credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).loose();
 const zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDraft11.transform(({ "@context": context, types, credentialSubject, ...rest }) => ({
@@ -638,15 +1082,15 @@ const zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadata
 	...credentialDefinition,
 	types: type
 })).pipe(zLdpVcCredentialIssuerMetadataDraft11);
-const zLdpVcCredentialRequestFormatDraft14 = z.object({
+const zLdpVcCredentialRequestFormatDraft14 = z$1.object({
 	format: zLdpVcFormatIdentifier,
 	credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14
 });
-const zLdpVcCredentialRequestDraft11 = z.object({
+const zLdpVcCredentialRequestDraft11 = z$1.object({
 	format: zLdpVcFormatIdentifier,
-	credential_definition: z.object({
-		"@context": z.array(z.string()),
-		types: z.tuple([z.string()], z.string()),
+	credential_definition: z$1.object({
+		"@context": z$1.array(z$1.string()),
+		types: z$1.tuple([z$1.string()], z$1.string()),
 		credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 	})
 }).loose();
@@ -667,25 +1111,25 @@ const zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormatDraft14.
 //#endregion
 //#region src/formats/credential/w3c-vc/z-w3c-sd-jwt-vc.ts
-const zSdJwtW3VcFormatIdentifier = z.literal("vc+sd-jwt");
-const zSdJwtW3VcCredentialDefinition = z.object({ type: z.tuple([z.string()], z.string()) }).loose();
+const zSdJwtW3VcFormatIdentifier = z$1.literal("vc+sd-jwt");
+const zSdJwtW3VcCredentialDefinition = z$1.object({ type: z$1.tuple([z$1.string()], z$1.string()) }).loose();
 const zSdJwtW3VcCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
 	format: zSdJwtW3VcFormatIdentifier,
 	credential_definition: zSdJwtW3VcCredentialDefinition,
-	credential_signing_alg_values_supported: z.array(z.string()).optional(),
-	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z.array(zIssuerMetadataClaimsDescription).optional() }).optional(),
-	vct: z.optional(z.never())
+	credential_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z$1.array(zIssuerMetadataClaimsDescription).optional() }).optional(),
+	vct: z$1.optional(z$1.never())
 });
 const zSdJwtW3VcCredentialIssuerMetadataDraft15 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zSdJwtW3VcFormatIdentifier,
 	credential_definition: zSdJwtW3VcCredentialDefinition,
-	claims: z.array(zIssuerMetadataClaimsDescription).optional(),
-	vct: z.optional(z.never())
+	claims: z$1.array(zIssuerMetadataClaimsDescription).optional(),
+	vct: z$1.optional(z$1.never())
 });
-const zSdJwtW3VcCredentialRequestFormatDraft14 = z.object({
+const zSdJwtW3VcCredentialRequestFormatDraft14 = z$1.object({
 	format: zSdJwtW3VcFormatIdentifier,
 	credential_definition: zSdJwtW3VcCredentialDefinition,
-	vct: z.optional(z.never())
+	vct: z$1.optional(z$1.never())
 });
 //#endregion
@@ -711,50 +1155,50 @@ const allCredentialIssuerMetadataFormats = [
 	zJwtVcJsonCredentialIssuerMetadataDraft14
 ];
 const allCredentialIssuerMetadataFormatIdentifiers = allCredentialIssuerMetadataFormats.map((format) => format.shape.format.value);
-const zCredentialConfigurationSupportedWithFormats = z.union([zCredentialConfigurationSupportedCommon, zCredentialConfigurationSupportedCommonDraft15]).transform((data, ctx) => {
+const zCredentialConfigurationSupportedWithFormats = z$1.union([zCredentialConfigurationSupportedCommon, zCredentialConfigurationSupportedCommonDraft15]).transform((data, ctx) => {
 	if (!allCredentialIssuerMetadataFormatIdentifiers.includes(data.format)) return data;
 	const validators = allCredentialIssuerMetadataFormats.filter((formatValidator) => formatValidator.shape.format.value === data.format);
-	const result = z.object({}).loose().and(validators.length > 1 ? z.union(validators) : validators[0]).safeParse(data);
+	const result = z$1.object({}).loose().and(validators.length > 1 ? z$1.union(validators) : validators[0]).safeParse(data);
 	if (result.success) return result.data;
 	for (const issue of result.error.issues) ctx.addIssue({
 		...issue,
 		code: issue.code
 	});
-	return z.NEVER;
+	return z$1.NEVER;
 });
-const zCredentialIssuerMetadataDisplayEntry = z.object({
-	name: z.string().optional(),
-	locale: z.string().optional(),
-	logo: z.object({
+const zCredentialIssuerMetadataDisplayEntry = z$1.object({
+	name: z$1.string().optional(),
+	locale: z$1.string().optional(),
+	logo: z$1.object({
 		uri: zHttpsUrl.or(zDataUrl).optional(),
-		alt_text: z.string().optional()
+		alt_text: z$1.string().optional()
 	}).loose().optional()
 }).loose();
-const zCredentialIssuerMetadataDraft14Draft15V1 = z.object({
+const zCredentialIssuerMetadataDraft14Draft15V1 = z$1.object({
 	credential_issuer: zHttpsUrl,
-	authorization_servers: z.array(zHttpsUrl).optional(),
+	authorization_servers: z$1.array(zHttpsUrl).optional(),
 	credential_endpoint: zHttpsUrl,
 	deferred_credential_endpoint: zHttpsUrl.optional(),
 	notification_endpoint: zHttpsUrl.optional(),
 	nonce_endpoint: zHttpsUrl.optional(),
-	credential_response_encryption: z.object({
-		alg_values_supported: z.array(z.string()),
-		enc_values_supported: z.array(z.string()),
-		encryption_required: z.boolean()
+	credential_response_encryption: z$1.object({
+		alg_values_supported: z$1.array(z$1.string()),
+		enc_values_supported: z$1.array(z$1.string()),
+		encryption_required: z$1.boolean()
 	}).loose().optional(),
-	batch_credential_issuance: z.object({ batch_size: z.number().positive() }).loose().optional(),
-	display: z.array(zCredentialIssuerMetadataDisplayEntry).optional(),
-	credential_configurations_supported: z.record(z.string(), zCredentialConfigurationSupportedCommon)
+	batch_credential_issuance: z$1.object({ batch_size: z$1.number().positive() }).loose().optional(),
+	display: z$1.array(zCredentialIssuerMetadataDisplayEntry).optional(),
+	credential_configurations_supported: z$1.record(z$1.string(), zCredentialConfigurationSupportedCommon)
 }).loose();
-const zCredentialConfigurationSupportedDraft11ToV1 = z.object({
-	id: z.string().optional(),
-	format: z.string(),
-	cryptographic_suites_supported: z.array(z.string()).optional(),
-	display: z.array(z.object({
-		logo: z.object({ url: zHttpsUrl.or(zDataUrl).optional() }).loose().optional(),
-		background_image: z.object({ url: zHttpsUrl.or(zDataUrl).optional() }).loose().optional()
+const zCredentialConfigurationSupportedDraft11ToV1 = z$1.object({
+	id: z$1.string().optional(),
+	format: z$1.string(),
+	cryptographic_suites_supported: z$1.array(z$1.string()).optional(),
+	display: z$1.array(z$1.object({
+		logo: z$1.object({ url: zHttpsUrl.or(zDataUrl).optional() }).loose().optional(),
+		background_image: z$1.object({ url: zHttpsUrl.or(zDataUrl).optional() }).loose().optional()
 	}).loose()).optional(),
-	claims: z.any().transform((claims) => claimsObjectToClaimsArray(claims)).optional()
+	claims: z$1.any().transform((claims) => claimsObjectToClaimsArray(claims)).optional()
 }).loose().transform(({ cryptographic_suites_supported, display, claims, id, format, ...rest }) => ({
 	...rest,
 	format: format === "vc+sd-jwt" && rest.vct ? "dc+sd-jwt" : format,
@@ -780,7 +1224,7 @@ const zCredentialConfigurationSupportedDraft11ToV1 = z.object({
 		...issue,
 		code: issue.code
 	});
-	return z.NEVER;
+	return z$1.NEVER;
 }).pipe(zCredentialConfigurationSupportedWithFormats);
 const zCredentialConfigurationSupportedV1ToDraft11 = zCredentialConfigurationSupportedWithFormats.transform(({ credential_metadata, ...rest }) => ({
 	...credential_metadata,
@@ -794,7 +1238,7 @@ const zCredentialConfigurationSupportedV1ToDraft11 = zCredentialConfigurationSup
 			path: ["id"],
 			message: "Missing required id field"
 		});
-		return z.NEVER;
+		return z$1.NEVER;
 	}
 	return {
 		...configuration,
@@ -821,26 +1265,26 @@ const zCredentialConfigurationSupportedV1ToDraft11 = zCredentialConfigurationSup
 		};
 	}) } : {},
 	id
-})).pipe(z.union([
+})).pipe(z$1.union([
 	zLdpVcCredentialIssuerMetadataDraft14To11,
 	zJwtVcJsonCredentialIssuerMetadataDraft14To11,
 	zJwtVcJsonLdCredentialIssuerMetadataDraft14To11,
-	z.object({ format: z.string().refine((input) => ![
+	z$1.object({ format: z$1.string().refine((input) => ![
 		zLdpVcFormatIdentifier.value,
 		zJwtVcJsonFormatIdentifier.value,
 		zJwtVcJsonLdFormatIdentifier.value
 	].includes(input)) }).loose()
 ]));
-const zCredentialIssuerMetadataDraft11ToV1 = z.object({
-	authorization_server: z.string().optional(),
-	credentials_supported: z.array(z.object({ id: z.string().optional() }).loose())
+const zCredentialIssuerMetadataDraft11ToV1 = z$1.object({
+	authorization_server: z$1.string().optional(),
+	credentials_supported: z$1.array(z$1.object({ id: z$1.string().optional() }).loose())
 }).loose().transform(({ authorization_server, credentials_supported, ...rest }) => {
 	return {
 		...rest,
 		...authorization_server ? { authorization_servers: [authorization_server] } : {},
 		credential_configurations_supported: Object.fromEntries(credentials_supported.map((supported) => supported.id ? [supported.id, supported] : void 0).filter((i) => i !== void 0))
 	};
-}).pipe(z.object({ credential_configurations_supported: z.record(z.string(), zCredentialConfigurationSupportedDraft11ToV1) }).loose()).pipe(zCredentialIssuerMetadataDraft14Draft15V1);
+}).pipe(z$1.object({ credential_configurations_supported: z$1.record(z$1.string(), zCredentialConfigurationSupportedDraft11ToV1) }).loose()).pipe(zCredentialIssuerMetadataDraft14Draft15V1);
 const zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15V1.transform((issuerMetadata) => ({
 	...issuerMetadata,
 	...issuerMetadata.authorization_servers ? { authorization_server: issuerMetadata.authorization_servers[0] } : {},
@@ -848,9 +1292,9 @@ const zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Dra
 		...value,
 		id
 	}))
-})).pipe(zCredentialIssuerMetadataDraft14Draft15V1.extend({ credentials_supported: z.array(zCredentialConfigurationSupportedV1ToDraft11) }));
-const zCredentialIssuerMetadata = z.union([zCredentialIssuerMetadataDraft14Draft15V1, zCredentialIssuerMetadataDraft11ToV1]);
-const zCredentialIssuerMetadataWithDraftVersion = z.union([zCredentialIssuerMetadataDraft14Draft15V1.transform((credentialIssuerMetadata) => {
+})).pipe(zCredentialIssuerMetadataDraft14Draft15V1.extend({ credentials_supported: z$1.array(zCredentialConfigurationSupportedV1ToDraft11) }));
+const zCredentialIssuerMetadata = z$1.union([zCredentialIssuerMetadataDraft14Draft15V1, zCredentialIssuerMetadataDraft11ToV1]);
+const zCredentialIssuerMetadataWithDraftVersion = z$1.union([zCredentialIssuerMetadataDraft14Draft15V1.transform((credentialIssuerMetadata) => {
 	const credentialConfigurations = Object.values(credentialIssuerMetadata.credential_configurations_supported);
 	const isDraft15 = credentialConfigurations.some((configuration) => {
 		const knownConfiguration = configuration;
@@ -929,16 +1373,25 @@ function claimsObjectToClaimsArray(claims) {
 	return result;
 }
+//#endregion
+//#region src/authorization-flow.ts
+let AuthorizationFlow = /* @__PURE__ */ function(AuthorizationFlow$1) {
+	AuthorizationFlow$1["Oauth2Redirect"] = "Oauth2Redirect";
+	AuthorizationFlow$1["PresentationDuringIssuance"] = "PresentationDuringIssuance";
+	AuthorizationFlow$1["InteractiveAuthorizationOpenid4vp"] = "InteractiveAuthorizationOpenid4vp";
+	return AuthorizationFlow$1;
+}({});
 //#endregion
 //#region src/metadata/credential-issuer/z-signed-credential-issuer-metadata.ts
-const zSignedCredentialIssuerMetadataHeader = z.object({
+const zSignedCredentialIssuerMetadataHeader = z$1.object({
 	...zJwtHeader.shape,
-	typ: z.literal("openidvci-issuer-metadata+jwt")
+	typ: z$1.literal("openidvci-issuer-metadata+jwt")
 }).loose();
-const zSignedCredentialIssuerMetadataPayload = z.object({
+const zSignedCredentialIssuerMetadataPayload = z$1.object({
 	...zJwtPayload.shape,
 	iat: zNumericDate,
-	sub: z.string(),
+	sub: z$1.string(),
 	...zCredentialIssuerMetadataDraft14Draft15V1.shape
 }).loose();
@@ -1078,9 +1531,9 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
 //#endregion
 //#region src/formats/proof-type/attestation/z-attestation-proof-type.ts
-const zAttestationProofTypeIdentifier = z.literal("attestation");
+const zAttestationProofTypeIdentifier = z$1.literal("attestation");
 const attestationProofTypeIdentifier = zAttestationProofTypeIdentifier.value;
-const zCredentialRequestProofAttestation = z.object({
+const zCredentialRequestProofAttestation = z$1.object({
 	proof_type: zAttestationProofTypeIdentifier,
 	attestation: zCompactJwt
 });
@@ -1088,40 +1541,41 @@ const zCredentialRequestAttestationProofTypePayload = zKeyAttestationJwtPayloadF
 //#endregion
 //#region src/formats/proof-type/jwt/z-jwt-proof-type.ts
-const zJwtProofTypeIdentifier = z.literal("jwt");
+const zJwtProofTypeIdentifier = z$1.literal("jwt");
 const jwtProofTypeIdentifier = zJwtProofTypeIdentifier.value;
-const zCredentialRequestProofJwt = z.object({
+const zCredentialRequestProofJwt = z$1.object({
 	proof_type: zJwtProofTypeIdentifier,
 	jwt: zCompactJwt
 });
 const zCredentialRequestJwtProofTypeHeader = zJwtHeader.extend({
-	key_attestation: z.optional(zCompactJwt),
-	typ: z.literal("openid4vci-proof+jwt")
+	key_attestation: z$1.optional(zCompactJwt),
+	typ: z$1.literal("openid4vci-proof+jwt")
 }).loose().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, { message: `Both 'jwk' and 'kid' are defined. Only one is allowed` }).refine(({ trust_chain, kid }) => !trust_chain || !kid, { message: `When 'trust_chain' is provided, 'kid' is required` });
-const zCredentialRequestJwtProofTypePayload = z.object({
+const zCredentialRequestJwtProofTypePayload = z$1.object({
 	...zJwtPayload.shape,
-	aud: z.union([zHttpsUrl, z.array(zHttpsUrl)]),
+	aud: z$1.union([zHttpsUrl, z$1.array(zHttpsUrl)]),
 	iat: zNumericDate
 }).loose();
 //#endregion
 //#region src/credential-request/z-credential-request-common.ts
-const zCredentialRequestProofCommon = z.object({ proof_type: z.string() }).loose();
+const zCredentialRequestProofCommon = z$1.object({ proof_type: z$1.string() }).loose();
 const allCredentialRequestProofs = [zCredentialRequestProofJwt, zCredentialRequestProofAttestation];
-const zCredentialRequestProof = z.union([zCredentialRequestProofCommon, z.discriminatedUnion("proof_type", allCredentialRequestProofs)]);
-const zCredentialRequestProofsCommon = z.record(z.string(), z.array(z.unknown()));
-const zCredentialRequestProofs = z.object({
-	[zJwtProofTypeIdentifier.value]: z.optional(z.array(zCredentialRequestProofJwt.shape.jwt)),
-	[zAttestationProofTypeIdentifier.value]: z.optional(z.array(zCredentialRequestProofAttestation.shape.attestation))
+const zCredentialRequestProof = z$1.union([zCredentialRequestProofCommon, z$1.discriminatedUnion("proof_type", allCredentialRequestProofs)]);
+const zCredentialRequestProofsCommon = z$1.record(z$1.string(), z$1.array(z$1.unknown()));
+const zCredentialRequestProofs = z$1.object({
+	[zJwtProofTypeIdentifier.value]: z$1.optional(z$1.array(zCredentialRequestProofJwt.shape.jwt)),
+	[zAttestationProofTypeIdentifier.value]: z$1.optional(z$1.array(zCredentialRequestProofAttestation.shape.attestation))
 });
-const zCredentialRequestCommon = z.object({
+const zCredentialResponseEncryption = z$1.object({
+	jwk: zJwk,
+	alg: z$1.string(),
+	enc: z$1.string()
+}).loose();
+const zCredentialRequestCommon = z$1.object({
 	proof: zCredentialRequestProof.optional(),
-	proofs: z.optional(z.intersection(zCredentialRequestProofsCommon, zCredentialRequestProofs).refine((proofs) => Object.values(proofs).length === 1, { message: `The 'proofs' object in a credential request should contain exactly one attribute` })),
-	credential_response_encryption: z.object({
-		jwk: zJwk,
-		alg: z.string(),
-		enc: z.string()
-	}).loose().optional()
+	proofs: z$1.optional(z$1.intersection(zCredentialRequestProofsCommon, zCredentialRequestProofs).refine((proofs) => Object.values(proofs).length === 1, { message: `The 'proofs' object in a credential request should contain exactly one attribute` })),
+	credential_response_encryption: zCredentialResponseEncryption.optional()
 }).loose().refine(({ proof, proofs }) => !(proof !== void 0 && proofs !== void 0), { message: `Both 'proof' and 'proofs' are defined. Only one is allowed` });
 //#endregion
@@ -1135,31 +1589,31 @@ const allCredentialRequestFormats = [
 	zLegacySdJwtVcCredentialRequestFormatDraft14
 ];
 const allCredentialRequestFormatIdentifiers = allCredentialRequestFormats.map((format) => format.shape.format.value);
-const zCredentialRequestCredentialConfigurationId = z.object({
-	credential_configuration_id: z.string(),
-	credential_identifier: z.never({ message: "'credential_identifier' cannot be defined when 'credential_configuration_id' is set." }).optional()
+const zCredentialRequestCredentialConfigurationId = z$1.object({
+	credential_configuration_id: z$1.string(),
+	credential_identifier: z$1.never({ message: "'credential_identifier' cannot be defined when 'credential_configuration_id' is set." }).optional()
 });
-const zAuthorizationDetailsCredentialRequest = z.object({
-	credential_identifier: z.string(),
-	credential_configuration_id: z.never({ message: "'credential_configuration_id' cannot be defined when 'credential_identifier' is set." }).optional()
+const zAuthorizationDetailsCredentialRequest = z$1.object({
+	credential_identifier: z$1.string(),
+	credential_configuration_id: z$1.never({ message: "'credential_configuration_id' cannot be defined when 'credential_identifier' is set." }).optional()
 });
-const zCredentialRequestFormat = z.object({
-	format: z.string(),
-	credential_identifier: z.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional(),
-	credential_configuration_id: z.never({ message: "'credential_configuration_id' cannot be defined when 'format' is set." }).optional()
+const zCredentialRequestFormat = z$1.object({
+	format: z$1.string(),
+	credential_identifier: z$1.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional(),
+	credential_configuration_id: z$1.never({ message: "'credential_configuration_id' cannot be defined when 'format' is set." }).optional()
 }).loose();
 const zCredentialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
 	if (!allCredentialRequestFormatIdentifiers.includes(data.format)) return data;
-	const result = z.object({}).loose().and(z.union(allCredentialRequestFormats)).safeParse(data);
+	const result = z$1.object({}).loose().and(z$1.union(allCredentialRequestFormats)).safeParse(data);
 	if (result.success) return result.data;
 	for (const issue of result.error.issues) ctx.addIssue({
 		...issue,
 		code: issue.code
 	});
-	return z.NEVER;
+	return z$1.NEVER;
 });
-const zCredentialRequestDraft15 = z.union([zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest), zCredentialRequestCommon.and(zCredentialRequestCredentialConfigurationId)]);
-const zCredentialRequestDraft14 = z.union([zCredentialRequestDraft14WithFormat, zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest)]);
+const zCredentialRequestDraft15 = z$1.union([zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest), zCredentialRequestCommon.and(zCredentialRequestCredentialConfigurationId)]);
+const zCredentialRequestDraft14 = z$1.union([zCredentialRequestDraft14WithFormat, zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest)]);
 const zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
 	const formatSpecificTransformations = {
 		[zLdpVcFormatIdentifier.value]: zLdpVcCredentialRequestDraft11To14,
@@ -1173,7 +1627,7 @@ const zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRe
 		...issue,
 		code: issue.code
 	});
-	return z.NEVER;
+	return z$1.NEVER;
 }).pipe(zCredentialRequestDraft14);
 const zCredentialRequestDraft14To11 = zCredentialRequestDraft14.transform((data, ctx) => {
 	if (data.credential_identifier !== void 0) {
@@ -1183,7 +1637,7 @@ const zCredentialRequestDraft14To11 = zCredentialRequestDraft14.transform((data,
 			message: `'credential_identifier' is not supported in OpenID4VCI draft 11`,
 			path: ["credential_identifier"]
 		});
-		return z.NEVER;
+		return z$1.NEVER;
 	}
 	const formatSpecificTransformations = {
 		[zLdpVcFormatIdentifier.value]: zLdpVcCredentialRequestDraft14To11,
@@ -1197,20 +1651,16 @@ const zCredentialRequestDraft14To11 = zCredentialRequestDraft14.transform((data,
 		...issue,
 		code: issue.code
 	});
-	return z.NEVER;
+	return z$1.NEVER;
 });
-const zCredentialRequest = z.union([
+const zCredentialRequest = z$1.union([
 	zCredentialRequestDraft15,
 	zCredentialRequestDraft14,
 	zCredentialRequestDraft11To14
 ]);
-const zDeferredCredentialRequest = z.object({
-	transaction_id: z.string().nonempty(),
-	credential_response_encryption: z.object({
-		jwk: zJwk,
-		alg: z.string(),
-		enc: z.string()
-	}).loose().optional()
+const zDeferredCredentialRequest = z$1.object({
+	transaction_id: z$1.string().nonempty(),
+	credential_response_encryption: zCredentialResponseEncryption.optional()
 });
 //#endregion
@@ -1241,6 +1691,7 @@ let Oauth2ErrorCodes$1 = /* @__PURE__ */ function(Oauth2ErrorCodes$2) {
 	Oauth2ErrorCodes$2["InvalidTransactionId"] = "invalid_transaction_id";
 	Oauth2ErrorCodes$2["UnsupportedCredentialType"] = "unsupported_credential_type";
 	Oauth2ErrorCodes$2["UnsupportedCredentialFormat"] = "unsupported_credential_format";
+	Oauth2ErrorCodes$2["MissingInteractionType"] = "missing_interaction_type";
 	Oauth2ErrorCodes$2["InvalidRequestUri"] = "invalid_request_uri";
 	Oauth2ErrorCodes$2["InvalidRequestObject"] = "invalid_request_object";
 	Oauth2ErrorCodes$2["RequestNotSupported"] = "request_not_supported";
@@ -1254,25 +1705,25 @@ let Oauth2ErrorCodes$1 = /* @__PURE__ */ function(Oauth2ErrorCodes$2) {
 	Oauth2ErrorCodes$2["WalletUnavailable"] = "wallet_unavailable";
 	return Oauth2ErrorCodes$2;
 }({});
-const zOauth2ErrorResponse = z.object({
-	error: z.union([z.enum(Oauth2ErrorCodes$1), z.string()]),
-	error_description: z.string().optional(),
-	error_uri: z.string().optional()
+const zOauth2ErrorResponse$1 = z$1.object({
+	error: z$1.union([z$1.enum(Oauth2ErrorCodes$1), z$1.string()]),
+	error_description: z$1.string().optional(),
+	error_uri: z$1.string().optional()
 }).loose();
 //#endregion
 //#region src/credential-request/z-credential-response.ts
-const zCredentialEncoding = z.union([z.string(), z.record(z.string(), z.any())]);
-const zBaseCredentialResponse = z.object({
-	credentials: z.union([z.array(z.object({ credential: zCredentialEncoding })), z.array(zCredentialEncoding)]).optional(),
-	notification_id: z.string().optional(),
-	transaction_id: z.string().optional(),
-	interval: z.number().int().positive().optional()
+const zCredentialEncoding = z$1.union([z$1.string(), z$1.record(z$1.string(), z$1.any())]);
+const zBaseCredentialResponse = z$1.object({
+	credentials: z$1.union([z$1.array(z$1.object({ credential: zCredentialEncoding })), z$1.array(zCredentialEncoding)]).optional(),
+	notification_id: z$1.string().optional(),
+	transaction_id: z$1.string().optional(),
+	interval: z$1.number().int().positive().optional()
 }).loose();
 const zCredentialResponse = zBaseCredentialResponse.extend({
-	credential: z.optional(zCredentialEncoding),
-	c_nonce: z.string().optional(),
-	c_nonce_expires_in: z.number().int().optional()
+	credential: z$1.optional(zCredentialEncoding),
+	c_nonce: z$1.string().optional(),
+	c_nonce_expires_in: z$1.number().int().optional()
 }).loose().superRefine((value, ctx) => {
 	const { credential, credentials, transaction_id, interval, notification_id } = value;
 	if ([credential || credentials, transaction_id].filter((i) => i !== void 0).length !== 1) ctx.addIssue({
@@ -1288,10 +1739,10 @@ const zCredentialResponse = zBaseCredentialResponse.extend({
 		message: `'notification_id' MUST NOT be defined when 'credential' or 'credentials' are not defined.`
 	});
 });
-const zCredentialErrorResponse = z.object({
-	...zOauth2ErrorResponse.shape,
-	c_nonce: z.string().optional(),
-	c_nonce_expires_in: z.number().int().optional()
+const zCredentialErrorResponse = z$1.object({
+	...zOauth2ErrorResponse$1.shape,
+	c_nonce: z$1.string().optional(),
+	c_nonce_expires_in: z$1.number().int().optional()
 }).loose();
 const zDeferredCredentialResponse = zBaseCredentialResponse.superRefine((value, ctx) => {
 	const { credentials, transaction_id, interval, notification_id } = value;
@@ -1311,6 +1762,39 @@ const zDeferredCredentialResponse = zBaseCredentialResponse.superRefine((value,
 //#endregion
 //#region src/credential-request/retrieve-credentials.ts
+/**
+* Handles credential response by detecting content type, decrypting if needed, and parsing.
+*/
+async function handleCredentialResponse(options) {
+	const { response, decryptJwe, credentialResponseEncryption, schema, responseType } = options;
+	if (isResponseContentType(ContentType.Jwt, response)) {
+		const decryptResult = await decryptJwe(await response.clone().text());
+		if (!decryptResult.decrypted) return {
+			ok: false,
+			parseResult: void 0
+		};
+		const jsonPayload = stringToJsonWithErrorHandling(decryptResult.payload, `Unable to parse decrypted ${responseType} as JSON`);
+		const parseResult$1 = schema.safeParse(jsonPayload);
+		if (!parseResult$1.success) return {
+			ok: false,
+			parseResult: parseResult$1
+		};
+		return {
+			ok: true,
+			data: parseResult$1.data
+		};
+	}
+	if (credentialResponseEncryption) throw new Openid4vciError(`Encryption was requested via 'credential_response_encryption' but the ${responseType} was not encrypted. Expected Content-Type 'application/jwt' but received '${response.headers.get("Content-Type")}'.`);
+	const parseResult = isResponseContentType(ContentType.Json, response) ? schema.safeParse(await response.clone().json()) : void 0;
+	if (!parseResult?.success) return {
+		ok: false,
+		parseResult
+	};
+	return {
+		ok: true,
+		data: parseResult.data
+	};
+}
 async function retrieveCredentialsWithCredentialConfigurationId(options) {
 	if (options.issuerMetadata.originalDraftVersion !== Openid4vciVersion.Draft15 && options.issuerMetadata.originalDraftVersion !== Openid4vciVersion.V1) throw new Openid4vciError("Requesting credentials based on credential configuration ID is not supported in OpenID4VCI below draft 15. Make sure to provide the format and format specific claims in the request.");
 	getKnownCredentialConfigurationSupportedById(options.issuerMetadata, options.credentialConfigurationId);
@@ -1318,14 +1802,16 @@ async function retrieveCredentialsWithCredentialConfigurationId(options) {
 		...options.additionalRequestPayload,
 		credential_configuration_id: options.credentialConfigurationId,
 		proof: options.proof,
-		proofs: options.proofs
+		proofs: options.proofs,
+		credential_response_encryption: options.credentialResponseEncryption
 	};
 	return retrieveCredentials({
 		callbacks: options.callbacks,
 		credentialRequest,
 		issuerMetadata: options.issuerMetadata,
 		accessToken: options.accessToken,
-		dpop: options.dpop
+		dpop: options.dpop,
+		credentialResponseEncryption: options.credentialResponseEncryption
 	});
 }
 async function retrieveCredentialsWithFormat(options) {
@@ -1334,14 +1820,16 @@ async function retrieveCredentialsWithFormat(options) {
 		...options.formatPayload,
 		...options.additionalRequestPayload,
 		proof: options.proof,
-		proofs: options.proofs
+		proofs: options.proofs,
+		credential_response_encryption: options.credentialResponseEncryption
 	};
 	return retrieveCredentials({
 		callbacks: options.callbacks,
 		credentialRequest,
 		issuerMetadata: options.issuerMetadata,
 		accessToken: options.accessToken,
-		dpop: options.dpop
+		dpop: options.dpop,
+		credentialResponseEncryption: options.credentialResponseEncryption
 	});
 }
 /**
@@ -1375,15 +1863,21 @@ async function retrieveCredentials(options) {
 			credentialErrorResponseResult
 		};
 	}
-	const credentialResponseResult = isResponseContentType(ContentType.Json, resourceResponse.response) ? zCredentialResponse.safeParse(await resourceResponse.response.clone().json()) : void 0;
-	if (!credentialResponseResult?.success) return {
+	const result = await handleCredentialResponse({
+		response: resourceResponse.response,
+		decryptJwe: options.callbacks.decryptJwe,
+		credentialResponseEncryption: options.credentialResponseEncryption,
+		schema: zCredentialResponse,
+		responseType: "credential response"
+	});
+	if (!result.ok) return {
 		...resourceResponse,
 		ok: false,
-		credentialResponseResult
+		credentialResponseResult: result.parseResult
 	};
 	return {
 		...resourceResponse,
-		credentialResponse: credentialResponseResult.data
+		credentialResponse: result.data
 	};
 }
 async function retrieveDeferredCredentials(options) {
@@ -1391,6 +1885,7 @@ async function retrieveDeferredCredentials(options) {
 	if (!credentialEndpoint) throw new Openid4vciError(`Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' does not support deferred credential retrieval.`);
 	const deferredCredentialRequest = parseWithErrorHandling(zDeferredCredentialRequest, {
 		transaction_id: options.transactionId,
+		credential_response_encryption: options.credentialResponseEncryption,
 		...options.additionalRequestPayload
 	}, "Error validating deferred credential request");
 	const resourceResponse = await resourceRequest({
@@ -1411,15 +1906,22 @@ async function retrieveDeferredCredentials(options) {
 			deferredCredentialErrorResponseResult
 		};
 	}
-	const deferredCredentialResponseResult = isResponseContentType(ContentType.Json, resourceResponse.response) ? zDeferredCredentialResponse.refine((response) => response.credentials || response.transaction_id === options.transactionId, { error: `Transaction id in deferred credential response does not match transaction id in deferred credential request '${options.transactionId}'` }).safeParse(await resourceResponse.response.clone().json()) : void 0;
-	if (!deferredCredentialResponseResult?.success) return {
+	const deferredResponseSchema = zDeferredCredentialResponse.refine((response) => response.credentials || response.transaction_id === options.transactionId, { message: `Transaction id in deferred credential response does not match transaction id in deferred credential request '${options.transactionId}'` });
+	const result = await handleCredentialResponse({
+		response: resourceResponse.response,
+		decryptJwe: options.callbacks.decryptJwe,
+		credentialResponseEncryption: options.credentialResponseEncryption,
+		schema: deferredResponseSchema,
+		responseType: "deferred credential response"
+	});
+	if (!result.ok) return {
 		...resourceResponse,
 		ok: false,
-		deferredCredentialResponseResult
+		deferredCredentialResponseResult: result.parseResult
 	};
 	return {
 		...resourceResponse,
-		deferredCredentialResponse: deferredCredentialResponseResult.data
+		deferredCredentialResponse: result.data
 	};
 }
@@ -1531,9 +2033,9 @@ async function resolveIssuerMetadata(credentialIssuer, options) {
 //#endregion
 //#region src/nonce/z-nonce.ts
-const zNonceResponse = z.object({
-	c_nonce: z.string(),
-	c_nonce_expires_in: z.optional(zInteger)
+const zNonceResponse = z$1.object({
+	c_nonce: z$1.string(),
+	c_nonce_expires_in: z$1.optional(zInteger)
 }).loose();
 //#endregion
@@ -1550,7 +2052,7 @@ async function requestNonce(options) {
 	const nonceEndpoint = options.issuerMetadata.credentialIssuer.nonce_endpoint;
 	if (!nonceEndpoint) throw new Openid4vciError(`Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' does not have a nonce endpoint.`);
 	const { response, result } = await fetchWithZod(zNonceResponse, ContentType.Json, nonceEndpoint, { method: "POST" });
-	if (!response.ok || !result) throw new InvalidFetchResponseError(`Requesting nonce from '${nonceEndpoint}' resulted in an unsuccessful response with status '${response.status}'`, await response.clone().text(), response);
+	if (!response.ok || !result) throw new InvalidFetchResponseError$1(`Requesting nonce from '${nonceEndpoint}' resulted in an unsuccessful response with status '${response.status}'`, await response.clone().text(), response);
 	if (!result.success) throw new ValidationError("Error parsing nonce response", result.error);
 	return result.data;
 }
@@ -1564,17 +2066,17 @@ function createNonceResponse(options) {
 //#endregion
 //#region src/notification/z-notification.ts
-const zNotificationEvent = z.enum([
+const zNotificationEvent = z$1.enum([
 	"credential_accepted",
 	"credential_failure",
 	"credential_deleted"
 ]);
-const zNotificationRequest = z.object({
-	notification_id: z.string(),
+const zNotificationRequest = z$1.object({
+	notification_id: z$1.string(),
 	event: zNotificationEvent,
-	event_description: z.optional(z.string())
+	event_description: z$1.optional(z$1.string())
 }).loose();
-const zNotificationErrorResponse = z.object({ error: z.enum(["invalid_notification_id", "invalid_notification_request"]) }).loose();
+const zNotificationErrorResponse = z$1.object({ error: z$1.enum(["invalid_notification_id", "invalid_notification_request"]) }).loose();
 //#endregion
 //#region src/notification/notification.ts
@@ -1609,11 +2111,6 @@ async function sendNotification(options) {
 //#endregion
 //#region src/Openid4vciClient.ts
-let AuthorizationFlow = /* @__PURE__ */ function(AuthorizationFlow$1) {
-	AuthorizationFlow$1["Oauth2Redirect"] = "Oauth2Redirect";
-	AuthorizationFlow$1["PresentationDuringIssuance"] = "PresentationDuringIssuance";
-	return AuthorizationFlow$1;
-}({});
 var Openid4vciClient = class {
 	constructor(options) {
 		this.options = options;
@@ -1630,7 +2127,9 @@ var Openid4vciClient = class {
 		return resolveIssuerMetadata(credentialIssuer, { callbacks: this.options.callbacks });
 	}
 	/**
-	* Retrieve an authorization code for a presentation during issuance session
+	* Retrieve an authorization code for a legacy presentation during issuance session
+	*
+	* This can only be called if the initiateAuthorization returned {@link AuthorizationFlow.PresentationDuringIssuance}.
 	*
 	* This can only be called if an authorization challenge was performed before and returned a
 	* `presentation` parameter along with an `auth_session`. If the presentation response included
@@ -1656,18 +2155,53 @@ var Openid4vciClient = class {
 		};
 	}
 	/**
-	* Initiates authorization for credential issuance. It handles the following cases:
-	* - Authorization Challenge
+	* Retrieve authorization code using Interactive Authorization Endpoint after OpenID4VP presentation
+	*
+	* This method is used when the Interactive Authorization Endpoint requires an OpenID4VP presentation.
+	* After completing the presentation, call this method with the auth_session and the openid4vp_response.
+	*
+	* @param options - Options including auth_session and openid4vp_response
+	* @returns The authorization code
+	*/
+	async retrieveAuthorizationCodeUsingInteractiveAuthorization(options) {
+		const authorizationCodeGrant = options.credentialOffer.grants?.[authorizationCodeGrantIdentifier];
+		if (!authorizationCodeGrant) throw new Oauth2Error(`Provided credential offer does not include the 'authorization_code' grant.`);
+		const authorizationServer = determineAuthorizationServerForCredentialOffer({
+			issuerMetadata: options.issuerMetadata,
+			grantAuthorizationServer: authorizationCodeGrant.authorization_server
+		});
+		const authorizationServerMetadata = getAuthorizationServerMetadataFromList(options.issuerMetadata.authorizationServers, authorizationServer);
+		if (!authorizationServerMetadata.interactive_authorization_endpoint) throw new Openid4vciError("Authorization server does not support interactive authorization endpoint");
+		const { interactiveAuthorizationResponse, dpop } = await this.sendInteractiveAuthorizationRequest({
+			authorizationServerMetadata,
+			request: {
+				auth_session: options.authSession,
+				openid4vp_response: options.openid4vpResponse
+			},
+			dpop: options.dpop
+		});
+		if (interactiveAuthorizationResponse.status !== "ok") throw new Openid4vciError(`Interactive authorization did not return status 'ok'. Received status '${interactiveAuthorizationResponse.status}'.`);
+		return {
+			authorizationCode: interactiveAuthorizationResponse.code,
+			dpop
+		};
+	}
+	/**
+	* Initiates authorization for credential issuance. It handles the following cases (in order):
+	* - Interactive Authorization Endpoint (OpenID4VCI 1.1) - preferred method
+	* - Authorization Challenge (OAuth 2.0 First-Party Applications) - fallback
 	* - Pushed Authorization Request
 	* - Regular Authorization url
 	*
-	* In case the authorization challenge request returns an error with `insufficient_authorization`
-	* with a `presentation` field it means the authorization server expects presentation of credentials
-	* before issuance of credentials. If this is the case, the value in `presentation` should be treated
-	* as an openid4vp authorization request and submitted to the verifier. Once the presentation response
-	* has been submitted, the RP will respond with a `presentation_during_issuance_session` parameter.
-	* Together with the `auth_session` parameter returned in this call you can retrieve an `authorization_code`
-	* using
+	* The Interactive Authorization Endpoint can return:
+	* - `status: 'require_interaction'` with type 'openid4vp_presentation' (requires OpenID4VP presentation)
+	* - `status: 'require_interaction'` with type 'redirect_to_web' (requires browser redirect)
+	*
+	* For Authorization Challenge (legacy), an error with `insufficient_authorization` and `presentation`
+	* field means the AS expects presentation of credentials before issuance. The value in `presentation`
+	* should be treated as an OpenID4VP authorization request. Once submitted, the RP will respond with
+	* a `presentation_during_issuance_session` parameter. Together with the `auth_session` you can
+	* retrieve an authorization code using {@link retrieveAuthorizationCodeUsingPresentation}.
 	*/
 	async initiateAuthorization(options) {
 		if (!options.credentialOffer.grants?.[authorizationCodeGrantIdentifier]) throw new Oauth2Error(`Provided credential offer does not include the 'authorization_code' grant.`);
@@ -1679,6 +2213,53 @@ var Openid4vciClient = class {
 		const authorizationServerMetadata = getAuthorizationServerMetadataFromList(options.issuerMetadata.authorizationServers, authorizationServer);
 		const oauth2Client = new Oauth2Client({ callbacks: this.options.callbacks });
 		try {
+			if (authorizationServerMetadata.interactive_authorization_endpoint) {
+				const pkce = authorizationServerMetadata.code_challenge_methods_supported ? await createPkce({
+					allowedCodeChallengeMethods: authorizationServerMetadata.code_challenge_methods_supported,
+					callbacks: this.options.callbacks,
+					codeVerifier: options.pkceCodeVerifier
+				}) : void 0;
+				const result = await this.sendInteractiveAuthorizationRequest({
+					authorizationServerMetadata,
+					request: {
+						response_type: "code",
+						client_id: options.clientId,
+						interaction_types_supported: ["redirect_to_web", "openid4vp_presentation"].join(","),
+						scope: options.scope,
+						redirect_uri: options.redirectUri,
+						resource: options.resource,
+						state: options.state,
+						code_challenge: pkce?.codeChallenge,
+						code_challenge_method: pkce?.codeChallengeMethod,
+						...options.additionalRequestPayload
+					},
+					dpop: options.dpop
+				});
+				const response = result.interactiveAuthorizationResponse;
+				if (response.status === "ok") throw new Oauth2Error("Received a successful authorization code response from interactive authorization endpoint without authorization");
+				if (response.status === "require_interaction") {
+					if (response.type === "redirect_to_web") {
+						const authorizationRequestUrl = `${authorizationServerMetadata.authorization_endpoint}?${objectToQueryParams({
+							request_uri: response.request_uri,
+							client_id: options.clientId
+						}).toString()}`;
+						return {
+							authorizationFlow: AuthorizationFlow.Oauth2Redirect,
+							authorizationServer,
+							dpop: result.dpop,
+							authorizationRequestUrl,
+							pkce
+						};
+					}
+					if (response.type === "openid4vp_presentation") return {
+						authorizationFlow: AuthorizationFlow.InteractiveAuthorizationOpenid4vp,
+						authorizationServer,
+						dpop: result.dpop,
+						openid4vpRequest: response.openid4vp_request,
+						authSession: response.auth_session
+					};
+				}
+			}
 			return {
 				...await oauth2Client.initiateAuthorization({
 					clientId: options.clientId,
@@ -1845,7 +2426,7 @@ var Openid4vciClient = class {
 	* @throws ValidationError - if validation of the credential request failed
 	* @throws Openid4vciError - if the `credentialConfigurationId` couldn't be found, or if the the format specific request couldn't be constructed
 	*/
-	async retrieveCredentials({ issuerMetadata, proof, proofs, credentialConfigurationId, additionalRequestPayload, accessToken, dpop }) {
+	async retrieveCredentials({ issuerMetadata, proof, proofs, credentialConfigurationId, additionalRequestPayload, accessToken, dpop, credentialResponseEncryption }) {
 		let credentialResponse;
 		if (issuerMetadata.originalDraftVersion === Openid4vciVersion.Draft15 || issuerMetadata.originalDraftVersion === Openid4vciVersion.V1) credentialResponse = await retrieveCredentialsWithCredentialConfigurationId({
 			accessToken,
@@ -1855,7 +2436,8 @@ var Openid4vciClient = class {
 			proof,
 			proofs,
 			callbacks: this.options.callbacks,
-			dpop
+			dpop,
+			credentialResponseEncryption
 		});
 		else credentialResponse = await retrieveCredentialsWithFormat({
 			accessToken,
@@ -1868,7 +2450,8 @@ var Openid4vciClient = class {
 			proof,
 			proofs,
 			callbacks: this.options.callbacks,
-			dpop
+			dpop,
+			credentialResponseEncryption
 		});
 		if (!credentialResponse.ok) throw new Openid4vciRetrieveCredentialsError(`Error retrieving credentials from '${issuerMetadata.credentialIssuer.credential_issuer}'`, credentialResponse, await credentialResponse.response.clone().text());
 		return credentialResponse;
@@ -1901,12 +2484,27 @@ var Openid4vciClient = class {
 		if (!notificationResponse.ok) throw new Openid4vciSendNotificationError(`Error sending notification to '${issuerMetadata.credentialIssuer.credential_issuer}'`, notificationResponse);
 		return notificationResponse;
 	}
+	/**
+	* Send an Interactive Authorization Request
+	*
+	* This method sends a request to the Interactive Authorization Endpoint.
+	* Supports both initial requests and follow-up requests.
+	*
+	* @param options - Request options
+	* @returns The interactive authorization response and updated DPoP config
+	*/
+	async sendInteractiveAuthorizationRequest(options) {
+		return sendInteractiveAuthorizationRequest({
+			...options,
+			callbacks: this.options.callbacks
+		});
+	}
 };
 //#endregion
 //#region src/credential-request/credential-response.ts
-function createCredentialResponse(options) {
-	return parseWithErrorHandling(zCredentialResponse, {
+async function createCredentialResponse(options) {
+	const credentialResponse = parseWithErrorHandling(zCredentialResponse, {
 		c_nonce: options.cNonce,
 		c_nonce_expires_in: options.cNonceExpiresInSeconds,
 		credential: options.credential,
@@ -1917,15 +2515,45 @@ function createCredentialResponse(options) {
 		format: options.credentialRequest.format?.format,
 		...options.additionalPayload
 	});
+	if (options.credentialResponseEncryption) {
+		if (!options.callbacks?.encryptJwe) throw new Openid4vciError("'credentialResponseEncryption' was provided but 'callbacks.encryptJwe' is not defined. Provide the 'encryptJwe' callback to encrypt the credential response.");
+		const jweEncryptor = {
+			method: "jwk",
+			publicJwk: options.credentialResponseEncryption.jwk,
+			alg: options.credentialResponseEncryption.alg,
+			enc: options.credentialResponseEncryption.enc
+		};
+		const { jwe } = await options.callbacks.encryptJwe(jweEncryptor, JSON.stringify(credentialResponse));
+		return {
+			credentialResponse,
+			credentialResponseJwt: jwe
+		};
+	}
+	return { credentialResponse };
 }
-function createDeferredCredentialResponse(options) {
-	return parseWithErrorHandling(zDeferredCredentialResponse, {
+async function createDeferredCredentialResponse(options) {
+	const deferredCredentialResponse = parseWithErrorHandling(zDeferredCredentialResponse, {
 		credentials: options.credentials,
 		notification_id: options.notificationId,
 		transaction_id: options.transactionId,
 		interval: options.interval,
 		...options.additionalPayload
 	});
+	if (options.credentialResponseEncryption) {
+		if (!options.callbacks?.encryptJwe) throw new Openid4vciError("'credentialResponseEncryption' was provided but 'callbacks.encryptJwe' is not defined. Provide the 'encryptJwe' callback to encrypt the deferred credential response.");
+		const jweEncryptor = {
+			method: "jwk",
+			publicJwk: options.credentialResponseEncryption.jwk,
+			alg: options.credentialResponseEncryption.alg,
+			enc: options.credentialResponseEncryption.enc
+		};
+		const { jwe } = await options.callbacks.encryptJwe(jweEncryptor, JSON.stringify(deferredCredentialResponse));
+		return {
+			deferredCredentialResponse,
+			deferredCredentialResponseJwt: jwe
+		};
+	}
+	return { deferredCredentialResponse };
 }
 //#endregion
@@ -1935,31 +2563,36 @@ function parseCredentialRequest(options) {
 	let proofs;
 	const knownProofs = zCredentialRequestProofs.strict().safeParse(credentialRequest.proofs);
 	if (knownProofs.success) proofs = knownProofs.data;
-	const knownProof = z.union(allCredentialRequestProofs).safeParse(credentialRequest.proof);
+	const knownProof = z$1.union(allCredentialRequestProofs).safeParse(credentialRequest.proof);
 	if (knownProof.success && knownProof.data.proof_type === jwtProofTypeIdentifier) proofs = { [jwtProofTypeIdentifier]: [knownProof.data.jwt] };
 	else if (knownProof.success && knownProof.data.proof_type === attestationProofTypeIdentifier) proofs = { [attestationProofTypeIdentifier]: [knownProof.data.attestation] };
+	const credentialResponseEncryption = credentialRequest.credential_response_encryption;
 	if (credentialRequest.credential_configuration_id) {
 		getKnownCredentialConfigurationSupportedById(options.issuerMetadata, credentialRequest.credential_configuration_id);
 		return {
 			credentialConfiguration: options.issuerMetadata.knownCredentialConfigurations[credentialRequest.credential_configuration_id],
 			credentialConfigurationId: credentialRequest.credential_configuration_id,
 			credentialRequest,
-			proofs
+			proofs,
+			credentialResponseEncryption
 		};
 	}
 	if (credentialRequest.credential_identifier) return {
 		credentialIdentifier: credentialRequest.credential_identifier,
 		credentialRequest,
-		proofs
+		proofs,
+		credentialResponseEncryption
 	};
 	if (credentialRequest.format && allCredentialRequestFormatIdentifiers.includes(credentialRequest.format)) return {
-		format: parseWithErrorHandling(z.union(allCredentialRequestFormats), credentialRequest, "Unable to validate format specific properties from credential request"),
+		format: parseWithErrorHandling(z$1.union(allCredentialRequestFormats), credentialRequest, "Unable to validate format specific properties from credential request"),
 		credentialRequest,
-		proofs
+		proofs,
+		credentialResponseEncryption
 	};
 	return {
 		credentialRequest,
-		proofs
+		proofs,
+		credentialResponseEncryption
 	};
 }
@@ -2121,15 +2754,23 @@ var Openid4vciIssuer = class {
 	}
 	/**
 	* @throws ValidationError - when validation of the credential response fails
+	* @throws Openid4vciError - when encryption is requested but no encryptJwe callback is available
 	*/
 	createCredentialResponse(options) {
-		return createCredentialResponse(options);
+		return createCredentialResponse({
+			...options,
+			callbacks: options.credentialResponseEncryption ? { encryptJwe: this.options.callbacks.encryptJwe } : void 0
+		});
 	}
 	/**
 	* @throws ValidationError - when validation of the credential response fails
+	* @throws Openid4vciError - when encryption is requested but no encryptJwe callback is available
 	*/
 	createDeferredCredentialResponse(options) {
-		return createDeferredCredentialResponse(options);
+		return createDeferredCredentialResponse({
+			...options,
+			callbacks: options.credentialResponseEncryption ? { encryptJwe: this.options.callbacks.encryptJwe } : void 0
+		});
 	}
 	/**
 	* @throws ValidationError - when validation of the nonce response fails
@@ -2140,6 +2781,71 @@ var Openid4vciIssuer = class {
 	async verifyWalletAttestation(options) {
 		return new Oauth2AuthorizationServer({ callbacks: this.options.callbacks }).verifyClientAttestation(options);
 	}
+	/**
+	* Parse an Interactive Authorization Request
+	*
+	* This method parses and validates an Interactive Authorization Endpoint request.
+	* It automatically detects whether this is an initial request, a follow-up request,
+	* or a JAR (JWT-secured) request based on the parameters present.
+	*/
+	async parseInteractiveAuthorizationRequest(options) {
+		return parseInteractiveAuthorizationRequest({
+			callbacks: this.options.callbacks,
+			...options
+		});
+	}
+	/**
+	* Verify an initial (possibly signed) Interactive Authorization Request
+	*
+	* This method verifies the interactive authorization request including:
+	* - JAR (JWT-secured Authorization Request) signature verification (if present)
+	* - Client attestation (if present)
+	* - DPoP binding (if present)
+	* - Authorization request parameters
+	*/
+	async verifyInteractiveAuthorizationInitialRequest(options) {
+		return verifyInteractiveAuthorizationInitialRequest({
+			callbacks: this.options.callbacks,
+			...options
+		});
+	}
+	/**
+	* Create a successful Interactive Authorization Code Response
+	*
+	* This response indicates that the authorization process is complete
+	* and returns an authorization code that can be exchanged for an access token.
+	*/
+	createInteractiveAuthorizationCodeResponse(options) {
+		return createInteractiveAuthorizationCodeResponse(options);
+	}
+	/**
+	* Create an Interactive Authorization Interaction Required Response
+	* requesting an OpenID4VP presentation
+	*
+	* This response indicates that the wallet must present credentials
+	* via OpenID4VP before authorization can be granted.
+	*/
+	createInteractiveAuthorizationOpenid4vpInteraction(options) {
+		return createInteractiveAuthorizationOpenid4vpInteraction(options);
+	}
+	/**
+	* Create an Interactive Authorization Interaction Required Response
+	* requesting a redirect to web
+	*
+	* This response indicates that the authorization process must continue
+	* via interactions with the user in a web browser.
+	*/
+	createInteractiveAuthorizationRedirectToWebInteraction(options) {
+		return createInteractiveAuthorizationRedirectToWebInteraction(options);
+	}
+	/**
+	* Create an Interactive Authorization Error Response
+	*
+	* This response indicates that an error occurred during the authorization process.
+	*/
+	createInteractiveAuthorizationErrorResponse(options) {
+		return createInteractiveAuthorizationErrorResponse(options);
+	}
 };
 //#endregion
@@ -2172,5 +2878,5 @@ var Openid4vciWalletProvider = class {
 };
 //#endregion
-export { AuthorizationFlow, Openid4vciClient, Openid4vciDraftVersion, Openid4vciError, Openid4vciIssuer, Openid4vciRetrieveCredentialsError, Openid4vciSendNotificationError, Openid4vciVersion, Openid4vciWalletProvider, createKeyAttestationJwt, credentialsSupportedToCredentialConfigurationsSupported, determineAuthorizationServerForCredentialOffer, extractScopesForCredentialConfigurationIds, getCredentialConfigurationsMatchingRequestFormat, getGlobalConfig, parseKeyAttestationJwt, setGlobalConfig, verifyKeyAttestationJwt };
+export { AuthorizationFlow, InteractiveAuthorizationRequestType, Openid4vciClient, Openid4vciClientInteractiveAuthorizationError, Openid4vciDraftVersion, Openid4vciError, Openid4vciIssuer, Openid4vciRetrieveCredentialsError, Openid4vciSendNotificationError, Openid4vciVersion, Openid4vciWalletProvider, createInteractiveAuthorizationCodeResponse, createInteractiveAuthorizationErrorResponse, createInteractiveAuthorizationOpenid4vpInteraction, createInteractiveAuthorizationRedirectToWebInteraction, createKeyAttestationJwt, credentialsSupportedToCredentialConfigurationsSupported, determineAuthorizationServerForCredentialOffer, extractScopesForCredentialConfigurationIds, getCredentialConfigurationsMatchingRequestFormat, getGlobalConfig, parseInteractiveAuthorizationRequest, parseKeyAttestationJwt, sendInteractiveAuthorizationRequest, setGlobalConfig, verifyInteractiveAuthorizationInitialRequest, verifyKeyAttestationJwt };
 //# sourceMappingURL=index.mjs.map