@openid4vc/openid4vci 0.5.0-alpha-20260202131209 → 0.5.0-alpha-20260202155954

package/dist/index.mjs

@@ -1,6 +1,6 @@
-import { ContentType, OpenId4VcBaseError, URL, URLSearchParams, ValidationError, arrayEqualsIgnoreOrder, createZodFetcher, dateToSeconds, encodeToBase64Url, formatZodError, getGlobalConfig, getQueryParams, isResponseContentType, joinUriParts, objectToQueryParams, parseWithErrorHandling, setGlobalConfig, stringToJsonWithErrorHandling, zDataUrl, zHttpsUrl, zInteger, zIs, zNumericDate } from "@openid4vc/utils";
-import { InvalidFetchResponseError, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtVerificationError, Oauth2ServerErrorResponseError, authorizationCodeGrantIdentifier, createClientAttestationJwt, decodeJwt, fetchAuthorizationServerMetadata, fetchWellKnownMetadata, fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray, getAuthorizationServerMetadataFromList, isJwkInSet, jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray, jwtHeaderFromJwtSigner, jwtSignerFromJwt, parseAuthorizationResponseRedirectUrl, preAuthorizedCodeGrantIdentifier, resourceRequest, verifyAuthorizationResponse, verifyJwt, zAuthorizationServerMetadata, zCompactJwt, zJwk, zJwtHeader, zJwtPayload } from "@openid4vc/oauth2";
-import z from "zod";
+import { ContentType, Headers, InvalidFetchResponseError, OpenId4VcBaseError, URL, URLSearchParams, ValidationError, arrayEqualsIgnoreOrder, createZodFetcher, dateToSeconds, encodeToBase64Url, formatZodError, getGlobalConfig, getQueryParams, isResponseContentType, joinUriParts, objectToQueryParams, parseWithErrorHandling, setGlobalConfig, stringToJsonWithErrorHandling, zDataUrl, zHttpsUrl, zInteger, zIs, zNumericDate } from "@openid4vc/utils";
+import { InvalidFetchResponseError as InvalidFetchResponseError$1, Oauth2AuthorizationServer, Oauth2Client, Oauth2ClientAuthorizationChallengeError, Oauth2ClientErrorResponseError, Oauth2Error, Oauth2ErrorCodes, Oauth2JwtVerificationError, Oauth2ServerErrorResponseError, authorizationCodeGrantIdentifier, authorizationServerRequestWithDpopRetry, createClientAttestationJwt, createDpopHeadersForRequest, createPkce, decodeJwt, extractDpopNonceFromHeaders, fetchAuthorizationServerMetadata, fetchWellKnownMetadata, fullySpecifiedCoseAlgorithmArrayToJwaSignatureAlgorithmArray, getAuthorizationServerMetadataFromList, isJarAuthorizationRequest, isJwkInSet, jwaSignatureAlgorithmArrayToFullySpecifiedCoseAlgorithmArray, jwtHeaderFromJwtSigner, jwtSignerFromJwt, parseAuthorizationRequest, parseAuthorizationResponseRedirectUrl, parseJarRequest, preAuthorizedCodeGrantIdentifier, resourceRequest, verifyAuthorizationRequest, verifyAuthorizationResponse, verifyJarRequest, verifyJwt, zAuthorizationRequest, zAuthorizationServerMetadata, zCompactJwt, zJarAuthorizationRequest, zJwk, zJwtHeader, zJwtPayload, zOauth2ErrorResponse } from "@openid4vc/oauth2";
+import z$1, { z } from "zod";
 
 //#region src/version.ts
 let Openid4vciVersion = /* @__PURE__ */ function(Openid4vciVersion$1) {
@@ -17,35 +17,35 @@ const Openid4vciDraftVersion = Openid4vciVersion;
 
 //#endregion
 //#region src/credential-offer/z-credential-offer.ts
-const zTxCode = z.object({
-	input_mode: z.union([z.literal("numeric"), z.literal("text")]).optional(),
-	length: z.number().int().optional(),
-	description: z.string().max(300).optional()
+const zTxCode = z$1.object({
+	input_mode: z$1.union([z$1.literal("numeric"), z$1.literal("text")]).optional(),
+	length: z$1.number().int().optional(),
+	description: z$1.string().max(300).optional()
 }).loose();
-const zCredentialOfferGrants = z.object({
-	authorization_code: z.object({
-		issuer_state: z.string().optional(),
+const zCredentialOfferGrants = z$1.object({
+	authorization_code: z$1.object({
+		issuer_state: z$1.string().optional(),
 		authorization_server: zHttpsUrl.optional()
 	}).loose().optional(),
-	[preAuthorizedCodeGrantIdentifier]: z.object({
-		"pre-authorized_code": z.string(),
+	[preAuthorizedCodeGrantIdentifier]: z$1.object({
+		"pre-authorized_code": z$1.string(),
 		tx_code: zTxCode.optional(),
 		authorization_server: zHttpsUrl.optional()
 	}).loose().optional()
 }).loose();
-const zCredentialOfferObjectDraft14 = z.object({
+const zCredentialOfferObjectDraft14 = z$1.object({
 	credential_issuer: zHttpsUrl,
-	credential_configuration_ids: z.array(z.string()),
-	grants: z.optional(zCredentialOfferGrants)
+	credential_configuration_ids: z$1.array(z$1.string()),
+	grants: z$1.optional(zCredentialOfferGrants)
 }).loose();
-const zCredentialOfferObjectDraft11To14 = z.object({
+const zCredentialOfferObjectDraft11To14 = z$1.object({
 	credential_issuer: zHttpsUrl,
-	credentials: z.array(z.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })),
-	grants: z.optional(z.object({
+	credentials: z$1.array(z$1.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })),
+	grants: z$1.optional(z$1.object({
 		authorization_code: zCredentialOfferGrants.shape.authorization_code,
-		[preAuthorizedCodeGrantIdentifier]: z.object({
-			"pre-authorized_code": z.string(),
-			user_pin_required: z.optional(z.boolean())
+		[preAuthorizedCodeGrantIdentifier]: z$1.object({
+			"pre-authorized_code": z$1.string(),
+			user_pin_required: z$1.optional(z$1.boolean())
 		}).loose().optional()
 	}))
 }).loose().transform(({ credentials, grants, ...rest }) => {
@@ -63,7 +63,7 @@ const zCredentialOfferObjectDraft11To14 = z.object({
 	}
 	return v14;
 }).pipe(zCredentialOfferObjectDraft14);
-const zCredentialOfferObject = z.union([zCredentialOfferObjectDraft14, zCredentialOfferObjectDraft11To14]);
+const zCredentialOfferObject = z$1.union([zCredentialOfferObjectDraft14, zCredentialOfferObjectDraft11To14]);
 
 //#endregion
 //#region src/credential-offer/credential-offer.ts
@@ -75,7 +75,7 @@ async function resolveCredentialOffer(credentialOffer, options) {
 	let credentialOfferParseResult;
 	if (parsedQueryParams.credential_offer_uri) {
 		const { response, result } = await createZodFetcher(options?.fetch)(zCredentialOfferObject, ContentType.Json, parsedQueryParams.credential_offer_uri);
-		if (!response.ok || !result) throw new InvalidFetchResponseError(`Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccessful response with status '${response.status}'`, await response.clone().text(), response);
+		if (!response.ok || !result) throw new InvalidFetchResponseError$1(`Fetching credential offer from '${parsedQueryParams.credential_offer_uri}' resulted in an unsuccessful response with status '${response.status}'`, await response.clone().text(), response);
 		credentialOfferParseResult = result;
 	} else if (parsedQueryParams.credential_offer) {
 		let credentialOfferJson;
@@ -167,6 +167,15 @@ function getCredentialConfigurationsMatchingRequestFormat({ requestFormat, issue
 	}));
 }
 
+//#endregion
+//#region src/error/Openid4vciClientInteractiveAuthorizationError.ts
+var Openid4vciClientInteractiveAuthorizationError = class extends Oauth2ClientErrorResponseError {
+	constructor(message, errorResponse, response) {
+		super(message, errorResponse, response);
+		this.errorResponse = errorResponse;
+	}
+};
+
 //#endregion
 //#region src/error/Openid4vciError.ts
 var Openid4vciError = class extends Error {
@@ -197,31 +206,466 @@ var Openid4vciSendNotificationError = class extends Openid4vciError {
 	}
 };
 
+//#endregion
+//#region src/interactive-authorization/z-interactive-authorization.ts
+/**
+* Schema for Interactive Authorization Request (initial request)
+*
+* Based on OpenID4VCI 1.1 Interactive Authorization Endpoint
+* Similar to PAR request but sent to interactive_authorization_endpoint
+*/
+const zInteractiveAuthorizationInitialRequest = z.object({
+	...zAuthorizationRequest.omit({ response_type: true }).shape,
+	interaction_types_supported: z.string(),
+	response_type: z.literal("code").default("code")
+}).loose();
+/**
+* Schema for Follow-up Interactive Authorization Request
+*
+* Follow-up requests include auth_session and interaction-specific parameters
+*/
+const zInteractiveAuthorizationFollowUpRequest = z.object({
+	auth_session: z.string(),
+	openid4vp_response: z.optional(z.string()),
+	code_verifier: z.optional(z.string())
+}).loose();
+/**
+* Base schema for Interaction Required Response
+*
+* Contains fields common to all interaction types
+*/
+const zInteractiveAuthorizationInteractionRequiredResponseBase = z.object({
+	status: z.literal("require_interaction"),
+	auth_session: z.string(),
+	expires_in: z.optional(zInteger)
+});
+/**
+* Schema for OpenID4VP Presentation Interaction Response
+*
+* Returned when the Authorization Server requires an OpenID4VP presentation
+*/
+const zInteractiveAuthorizationOpenid4vpPresentationResponse = zInteractiveAuthorizationInteractionRequiredResponseBase.extend({
+	type: z.literal("openid4vp_presentation"),
+	openid4vp_request: z.record(z.string(), z.unknown())
+}).loose();
+/**
+* Schema for Redirect to Web Interaction Response
+*
+* Returned when the Authorization Server requires a browser redirect
+*/
+const zInteractiveAuthorizationRedirectToWebResponse = zInteractiveAuthorizationInteractionRequiredResponseBase.extend({
+	type: z.literal("redirect_to_web"),
+	request_uri: z.string()
+}).loose();
+/**
+* Schema for Interaction Required Response (discriminated union)
+*
+* Returned when the Authorization Server requires additional user interaction.
+* Uses discriminated union on 'type' field for better type inference.
+*/
+const zInteractiveAuthorizationInteractionRequiredResponse = z.discriminatedUnion("type", [zInteractiveAuthorizationOpenid4vpPresentationResponse, zInteractiveAuthorizationRedirectToWebResponse]);
+/**
+* Schema for Authorization Code Response
+*
+* Returned when authorization is successfully completed
+*/
+const zInteractiveAuthorizationCodeResponse = z.object({
+	status: z.literal("ok"),
+	code: z.string()
+}).loose();
+/**
+
+
+/**
+* Union type for all possible Interactive Authorization Responses
+*/
+const zInteractiveAuthorizationResponse = z.union([zInteractiveAuthorizationInteractionRequiredResponse, zInteractiveAuthorizationCodeResponse]);
+/**
+* Type guard to check if a request is a JAR Interactive Authorization Request
+*/
+function isInteractiveAuthorizationFollowUpRequest(request) {
+	return request.auth_session !== void 0;
+}
+
+//#endregion
+//#region src/interactive-authorization/create-interactive-authorization-response.ts
+/**
+* Create a successful Interactive Authorization Code Response
+*
+* This response indicates that the authorization process is complete
+* and returns an authorization code that can be exchanged for an access token.
+*
+* @param options - Response options
+* @returns The authorization code response
+*
+* @example
+* ```ts
+* const response = createInteractiveAuthorizationCodeResponse({
+*   authorizationCode: 'SplxlOBeZQQYbYS6WxSbIA'
+* })
+* ```
+*/
+function createInteractiveAuthorizationCodeResponse(options) {
+	return parseWithErrorHandling(zInteractiveAuthorizationCodeResponse, {
+		status: "ok",
+		code: options.authorizationCode,
+		...options.additionalPayload
+	});
+}
+/**
+* Create an Interactive Authorization Interaction Required Response
+* requesting an OpenID4VP presentation
+*
+* This response indicates that the wallet must present credentials
+* via OpenID4VP before authorization can be granted.
+*
+* @param options - Response options
+* @returns The interaction required response
+*
+* @example With unsigned request
+* ```ts
+* const response = createInteractiveAuthorizationOpenid4vpInteraction({
+*   authSession: 'session-123',
+*   openid4vpRequest: {
+*     response_type: 'vp_token',
+*     response_mode: 'iae_post',
+*     nonce: 'n-0S6_WzA2Mj',
+*     dcql_query: { ... }
+*   }
+* })
+* ```
+*
+* @example With signed request
+* ```ts
+* const response = createInteractiveAuthorizationOpenid4vpInteraction({
+*   authSession: 'session-123',
+*   openid4vpRequest: {
+*     request: 'eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...'
+*   }
+* })
+* ```
+*/
+function createInteractiveAuthorizationOpenid4vpInteraction(options) {
+	return parseWithErrorHandling(zInteractiveAuthorizationInteractionRequiredResponse, {
+		status: "require_interaction",
+		type: "openid4vp_presentation",
+		auth_session: options.authSession,
+		openid4vp_request: options.openid4vpRequest,
+		...options.additionalPayload
+	});
+}
+/**
+* Create an Interactive Authorization Interaction Required Response
+* requesting a redirect to web
+*
+* This response indicates that the authorization process must continue
+* via interactions with the user in a web browser.
+*
+* @param options - Response options
+* @returns The interaction required response
+*
+* @example
+* ```ts
+* const response = createInteractiveAuthorizationRedirectToWebInteraction({
+*   authSession: 'session-123',
+*   requestUri: 'urn:ietf:params:oauth:request_uri:6esc_11ACC5bwc014ltc14eY22c',
+*   expiresIn: 60
+* })
+* ```
+*/
+function createInteractiveAuthorizationRedirectToWebInteraction(options) {
+	return parseWithErrorHandling(zInteractiveAuthorizationInteractionRequiredResponse, {
+		status: "require_interaction",
+		type: "redirect_to_web",
+		auth_session: options.authSession,
+		request_uri: options.requestUri,
+		expires_in: options.expiresIn,
+		...options.additionalPayload
+	});
+}
+/**
+* Create an Interactive Authorization Error Response
+*
+* This response indicates that an error occurred during the authorization process.
+*
+* @param options - Error response options
+* @returns The error response
+*
+* @example
+* ```ts
+* const response = createInteractiveAuthorizationErrorResponse({
+*   error: 'missing_interaction_type',
+*   errorDescription: 'interaction_types_supported is missing openid4vp_presentation'
+* })
+* ```
+*/
+function createInteractiveAuthorizationErrorResponse(options) {
+	return parseWithErrorHandling(zOauth2ErrorResponse, {
+		error: options.error,
+		error_description: options.errorDescription,
+		error_uri: options.errorUri,
+		...options.additionalPayload
+	});
+}
+
+//#endregion
+//#region src/interactive-authorization/parse-interactive-authorization-request.ts
+let InteractiveAuthorizationRequestType = /* @__PURE__ */ function(InteractiveAuthorizationRequestType$1) {
+	InteractiveAuthorizationRequestType$1["Initial"] = "Initial";
+	InteractiveAuthorizationRequestType$1["FollowUp"] = "FollowUp";
+	return InteractiveAuthorizationRequestType$1;
+}({});
+/**
+* Parse an Interactive Authorization Request
+*
+* This function parses and validates an Interactive Authorization Endpoint request.
+* It automatically detects whether this is an initial request, a follow-up request,
+* or a JAR (JWT-secured) request based on the parameters present.
+*
+* @param options - Parsing options
+* @returns The parsed request and metadata
+* @throws {Oauth2ServerErrorResponseError} if validation fails
+*
+* @example Parse initial request
+* ```ts
+* const { interactiveAuthorizationRequest, isFollowUpRequest } = await parseInteractiveAuthorizationRequest({
+*   request: req,
+*   interactiveAuthorizationRequest: req.body,
+*   callbacks: { fetch }
+* })
+* // isFollowUpRequest = false
+* ```
+*
+* @example Parse follow-up request
+* ```ts
+* const { interactiveAuthorizationRequest, isFollowUpRequest } = await parseInteractiveAuthorizationRequest({
+*   request: req,
+*   interactiveAuthorizationRequest: req.body,
+*   callbacks: { fetch }
+* })
+* // isFollowUpRequest = true
+* ```
+*
+* @example Parse JAR request
+* ```ts
+* const { interactiveAuthorizationRequest, interactiveAuthorizationRequestJwt } = await parseInteractiveAuthorizationRequest({
+*   request: req,
+*   interactiveAuthorizationRequest: req.body,
+*   callbacks: { fetch }
+* })
+* // interactiveAuthorizationRequestJwt contains the signed JWT
+* ```
+*/
+async function parseInteractiveAuthorizationRequest(options) {
+	const parsed = parseWithErrorHandling(z$1.union([
+		zInteractiveAuthorizationInitialRequest,
+		zInteractiveAuthorizationFollowUpRequest,
+		zJarAuthorizationRequest
+	]), options.interactiveAuthorizationRequest, "Invalid interactive authorization request. Could not parse as initial request, follow-up request, or JAR request.");
+	if (isInteractiveAuthorizationFollowUpRequest(parsed)) return {
+		type: InteractiveAuthorizationRequestType.FollowUp,
+		interactiveAuthorizationRequest: parsed
+	};
+	let interactiveAuthorizationRequest;
+	let interactiveAuthorizationRequestJwt;
+	if (isJarAuthorizationRequest(parsed)) {
+		const parsedJar = await parseJarRequest({
+			jarRequestParams: parsed,
+			callbacks: options.callbacks
+		});
+		const jwt = decodeJwt({ jwt: parsedJar.authorizationRequestJwt });
+		const parsedInteractiveAuthorizationRequest = zInteractiveAuthorizationInitialRequest.safeParse(jwt.payload);
+		if (!parsedInteractiveAuthorizationRequest.success) throw new Oauth2ServerErrorResponseError({
+			error: Oauth2ErrorCodes.InvalidRequest,
+			error_description: `Invalid interactive authorization request. Could not parse JAR request payload.\n${formatZodError(parsedInteractiveAuthorizationRequest.error)}`
+		});
+		interactiveAuthorizationRequestJwt = parsedJar.authorizationRequestJwt;
+		interactiveAuthorizationRequest = parsedInteractiveAuthorizationRequest.data;
+	} else interactiveAuthorizationRequest = parsed;
+	const { clientAttestation, dpop } = parseAuthorizationRequest({
+		authorizationRequest: interactiveAuthorizationRequest,
+		request: options.request
+	});
+	return {
+		type: InteractiveAuthorizationRequestType.Initial,
+		interactiveAuthorizationRequest,
+		interactiveAuthorizationRequestJwt,
+		dpop,
+		clientAttestation,
+		interactionTypesSupported: interactiveAuthorizationRequest.interaction_types_supported.split(",")
+	};
+}
+
+//#endregion
+//#region src/interactive-authorization/send-interactive-authorization-request.ts
+/**
+* Send an Interactive Authorization Request to the Authorization Server
+*
+* Implements the Interactive Authorization Endpoint flow from OpenID4VCI 1.1.
+* This endpoint enables complex authentication and authorization flows where
+* interaction occurs directly with the Wallet rather than being intermediated
+* by a browser.
+*
+* The request can be either:
+* - Initial request: Contains authorization parameters and interaction_types_supported
+* - Follow-up request: Contains auth_session and interaction-specific parameters
+*
+* @param options - Configuration options for the request
+* @returns The interactive authorization response and updated DPoP config
+* @throws {Oauth2Error} if the authorization server doesn't support interactive authorization
+* @throws {Openid4vciClientInteractiveAuthorizationError} if the request failed and an error response is returned
+* @throws {InvalidFetchResponseError} if the request failed but no error response could be parsed
+* @throws {ValidationError} if a successful response was received but an error occurred during verification
+*
+* @example Initial request
+* ```ts
+* const result = await sendInteractiveAuthorizationRequest({
+*   callbacks,
+*   authorizationServerMetadata,
+*   request: {
+*     response_type: 'code',
+*     client_id: 'my-client',
+*     interaction_types_supported: 'openid4vp_presentation,redirect_to_web',
+*     authorization_details: [...]
+*   }
+* })
+* ```
+*
+* @example Follow-up request with OpenID4VP response
+* ```ts
+* const result = await sendInteractiveAuthorizationRequest({
+*   callbacks,
+*   authorizationServerMetadata,
+*   request: {
+*     auth_session: 'session-123',
+*     openid4vp_response: JSON.stringify({ vp_token: '...' })
+*   }
+* })
+* ```
+*/
+async function sendInteractiveAuthorizationRequest(options) {
+	const fetchWithZod = createZodFetcher(options.callbacks.fetch);
+	const authorizationServerMetadata = options.authorizationServerMetadata;
+	const interactiveAuthorizationEndpoint = authorizationServerMetadata.interactive_authorization_endpoint;
+	if (!interactiveAuthorizationEndpoint) throw new Oauth2Error(`Unable to send interactive authorization request. Authorization server '${authorizationServerMetadata.issuer}' has no 'interactive_authorization_endpoint'`);
+	const interactiveAuthorizationRequest = options.request.auth_session ? parseWithErrorHandling(zInteractiveAuthorizationFollowUpRequest, options.request, "Invalid interactive authorization follow-up request") : parseWithErrorHandling(zInteractiveAuthorizationInitialRequest, options.request, "Invalid interactive authorization request");
+	return authorizationServerRequestWithDpopRetry({
+		dpop: options.dpop,
+		request: async (dpop) => {
+			const headers = new Headers({
+				...dpop ? await createDpopHeadersForRequest({
+					request: {
+						method: "POST",
+						url: interactiveAuthorizationEndpoint
+					},
+					signer: dpop.signer,
+					callbacks: options.callbacks,
+					nonce: dpop.nonce
+				}) : void 0,
+				...options.additionalHeaders,
+				"Content-Type": ContentType.XWwwFormUrlencoded
+			});
+			const { response, result } = await fetchWithZod(zInteractiveAuthorizationResponse, ContentType.Json, interactiveAuthorizationEndpoint, {
+				method: "POST",
+				body: objectToQueryParams(interactiveAuthorizationRequest).toString(),
+				headers
+			});
+			if (!response.ok || !result) {
+				const interactiveAuthorizationErrorResponse = zOauth2ErrorResponse.safeParse(await response.clone().json().catch(() => null));
+				if (interactiveAuthorizationErrorResponse.success) throw new Openid4vciClientInteractiveAuthorizationError(`Error requesting authorization from interactive authorization endpoint '${authorizationServerMetadata.interactive_authorization_endpoint}'. Received response with status ${response.status}`, interactiveAuthorizationErrorResponse.data, response);
+				throw new InvalidFetchResponseError(`Error requesting authorization from interactive authorization endpoint '${authorizationServerMetadata.interactive_authorization_endpoint}'. Received response with status ${response.status}`, await response.clone().text(), response);
+			}
+			if (!result.success) throw new ValidationError("Error validating interactive authorization response", result.error);
+			const dpopNonce = extractDpopNonceFromHeaders(response.headers) ?? void 0;
+			return {
+				interactiveAuthorizationResponse: result.data,
+				dpop: dpop ? {
+					...dpop,
+					nonce: dpopNonce
+				} : void 0
+			};
+		}
+	});
+}
+
+//#endregion
+//#region src/interactive-authorization/verify-interactive-authorization-request.ts
+/**
+* Verify an initial (possibly signed) Interactive Authorization Request
+*
+* This function verifies the interactive authorization request including:
+* - JAR (JWT-secured Authorization Request) signature verification (if present)
+* - Client attestation (if present)
+* - DPoP binding (if present)
+* - Authorization request parameters
+*
+* @param options - Verification options
+* @returns Verification result with client attestation and DPoP info
+*
+* @example Verify initial request
+* ```ts
+* const result = await verifyInteractiveAuthorizationInitialRequest({
+*   interactiveAuthorizationRequest: request,
+*   authorizationServerMetadata,
+*   callbacks: { fetch, verifyJwt }
+* })
+* ```
+*
+* @example Verify JAR request
+* ```ts
+* const result = await verifyInteractiveAuthorizationInitialRequest({
+*   interactiveAuthorizationRequest: jarRequest,
+*   interactiveAuthorizationRequestJwt: jwt,
+*   jwtSigner: { ... },
+*   authorizationServerMetadata,
+*   callbacks: { fetch, verifyJwt }
+* })
+* ```
+*/
+async function verifyInteractiveAuthorizationInitialRequest(options) {
+	let jar;
+	if (options.interactiveAuthorizationRequestJwt) jar = await verifyJarRequest({
+		authorizationRequestJwt: options.interactiveAuthorizationRequestJwt.jwt,
+		jarRequestParams: options.interactiveAuthorizationRequest,
+		callbacks: options.callbacks,
+		jwtSigner: options.interactiveAuthorizationRequestJwt.signer
+	});
+	const { clientAttestation, dpop } = await verifyAuthorizationRequest({
+		...options,
+		authorizationRequest: options.interactiveAuthorizationRequest
+	});
+	return {
+		dpop,
+		clientAttestation,
+		jar
+	};
+}
+
 //#endregion
 //#region src/key-attestation/z-key-attestation.ts
-const zKeyAttestationJwtHeader = z.object({
+const zKeyAttestationJwtHeader = z$1.object({
 	...zJwtHeader.shape,
-	typ: z.literal("keyattestation+jwt").or(z.literal("key-attestation+jwt"))
+	typ: z$1.literal("keyattestation+jwt").or(z$1.literal("key-attestation+jwt"))
 }).loose().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, { message: `Both 'jwk' and 'kid' are defined. Only one is allowed` }).refine(({ trust_chain, kid }) => !trust_chain || !kid, { message: `When 'trust_chain' is provided, 'kid' is required` });
-const zIso18045 = z.enum([
+const zIso18045 = z$1.enum([
 	"iso_18045_high",
 	"iso_18045_moderate",
 	"iso_18045_enhanced-basic",
 	"iso_18045_basic"
 ]);
-const zIso18045OrStringArray = z.array(z.union([zIso18045, z.string()]));
-const zKeyAttestationJwtPayload = z.object({
+const zIso18045OrStringArray = z$1.array(z$1.union([zIso18045, z$1.string()]));
+const zKeyAttestationJwtPayload = z$1.object({
 	...zJwtPayload.shape,
 	iat: zNumericDate,
-	attested_keys: z.array(zJwk),
-	key_storage: z.optional(zIso18045OrStringArray),
-	user_authentication: z.optional(zIso18045OrStringArray),
-	certification: z.optional(z.url())
+	attested_keys: z$1.array(zJwk),
+	key_storage: z$1.optional(zIso18045OrStringArray),
+	user_authentication: z$1.optional(zIso18045OrStringArray),
+	certification: z$1.optional(z$1.url())
 }).loose();
-const zKeyAttestationJwtPayloadForUse = (use) => z.object({
+const zKeyAttestationJwtPayloadForUse = (use) => z$1.object({
 	...zKeyAttestationJwtPayload.shape,
-	nonce: use === "proof_type.attestation" ? z.string({ message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly` }) : z.optional(z.string()),
-	exp: use === "proof_type.jwt" ? zNumericDate : z.optional(zNumericDate)
+	nonce: use === "proof_type.attestation" ? z$1.string({ message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly` }) : z$1.optional(z$1.string()),
+	exp: use === "proof_type.jwt" ? zNumericDate : z$1.optional(zNumericDate)
 }).loose();
 
 //#endregion
@@ -283,124 +727,124 @@ async function verifyKeyAttestationJwt(options) {
 
 //#endregion
 //#region src/metadata/credential-issuer/z-claims-description.ts
-const zCredentialConfigurationSupportedClaimsDescriptionDraft14 = z.object({
-	mandatory: z.boolean().optional(),
-	value_type: z.string().optional(),
-	display: z.array(z.object({
-		name: z.string().optional(),
-		locale: z.string().optional()
+const zCredentialConfigurationSupportedClaimsDescriptionDraft14 = z$1.object({
+	mandatory: z$1.boolean().optional(),
+	value_type: z$1.string().optional(),
+	display: z$1.array(z$1.object({
+		name: z$1.string().optional(),
+		locale: z$1.string().optional()
 	}).loose()).optional()
 }).loose();
-const zCredentialConfigurationSupportedClaimsDraft14 = z.record(z.string(), z.union([zCredentialConfigurationSupportedClaimsDescriptionDraft14, z.lazy(() => zCredentialConfigurationSupportedClaimsDraft14)]));
-const zClaimDescriptionPathValue = z.union([
-	z.string(),
-	z.number().int().nonnegative(),
-	z.null()
+const zCredentialConfigurationSupportedClaimsDraft14 = z$1.record(z$1.string(), z$1.union([zCredentialConfigurationSupportedClaimsDescriptionDraft14, z$1.lazy(() => zCredentialConfigurationSupportedClaimsDraft14)]));
+const zClaimDescriptionPathValue = z$1.union([
+	z$1.string(),
+	z$1.number().int().nonnegative(),
+	z$1.null()
 ]);
-const zClaimsDescriptionPath = z.tuple([zClaimDescriptionPathValue], zClaimDescriptionPathValue);
-const zMsoMdocClaimsDescriptionPath = z.tuple([z.string(), z.string()], zClaimDescriptionPathValue, { message: "mso_mdoc claims description path MUST be an array with at least two string elements, pointing to the namespace and element identifier within an mdoc credential" });
-const zIssuerMetadataClaimsDescription = z.object({
+const zClaimsDescriptionPath = z$1.tuple([zClaimDescriptionPathValue], zClaimDescriptionPathValue);
+const zMsoMdocClaimsDescriptionPath = z$1.tuple([z$1.string(), z$1.string()], zClaimDescriptionPathValue, { message: "mso_mdoc claims description path MUST be an array with at least two string elements, pointing to the namespace and element identifier within an mdoc credential" });
+const zIssuerMetadataClaimsDescription = z$1.object({
 	path: zClaimsDescriptionPath,
-	mandatory: z.boolean().optional(),
-	display: z.array(z.object({
-		name: z.string().optional(),
-		locale: z.string().optional()
+	mandatory: z$1.boolean().optional(),
+	display: z$1.array(z$1.object({
+		name: z$1.string().optional(),
+		locale: z$1.string().optional()
 	}).loose()).optional()
 }).loose();
 const zMsoMdocIssuerMetadataClaimsDescription = zIssuerMetadataClaimsDescription.extend({ path: zMsoMdocClaimsDescriptionPath });
 
 //#endregion
 //#region src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
-const zCredentialConfigurationSupportedDisplayEntry = z.object({
-	name: z.string(),
-	locale: z.string().optional(),
-	logo: z.object({
+const zCredentialConfigurationSupportedDisplayEntry = z$1.object({
+	name: z$1.string(),
+	locale: z$1.string().optional(),
+	logo: z$1.object({
 		uri: zHttpsUrl.or(zDataUrl).optional(),
-		alt_text: z.string().optional()
+		alt_text: z$1.string().optional()
 	}).loose().optional(),
-	description: z.string().optional(),
-	background_color: z.string().optional(),
-	background_image: z.object({ uri: zHttpsUrl.or(zDataUrl).optional() }).loose().optional(),
-	text_color: z.string().optional()
+	description: z$1.string().optional(),
+	background_color: z$1.string().optional(),
+	background_image: z$1.object({ uri: zHttpsUrl.or(zDataUrl).optional() }).loose().optional(),
+	text_color: z$1.string().optional()
 }).loose();
-const zCredentialConfigurationSupportedCommonCredentialMetadata = z.object({ display: z.array(zCredentialConfigurationSupportedDisplayEntry).optional() }).loose();
-const zCredentialConfigurationSupportedCommon = z.object({
-	format: z.string(),
-	scope: z.string().optional(),
-	cryptographic_binding_methods_supported: z.array(z.string()).optional(),
-	credential_signing_alg_values_supported: z.array(z.string()).or(z.array(z.number())).optional(),
-	proof_types_supported: z.record(z.union([
-		z.literal("jwt"),
-		z.literal("attestation"),
-		z.string()
-	]), z.object({
-		proof_signing_alg_values_supported: z.array(z.string()),
-		key_attestations_required: z.object({
+const zCredentialConfigurationSupportedCommonCredentialMetadata = z$1.object({ display: z$1.array(zCredentialConfigurationSupportedDisplayEntry).optional() }).loose();
+const zCredentialConfigurationSupportedCommon = z$1.object({
+	format: z$1.string(),
+	scope: z$1.string().optional(),
+	cryptographic_binding_methods_supported: z$1.array(z$1.string()).optional(),
+	credential_signing_alg_values_supported: z$1.array(z$1.string()).or(z$1.array(z$1.number())).optional(),
+	proof_types_supported: z$1.record(z$1.union([
+		z$1.literal("jwt"),
+		z$1.literal("attestation"),
+		z$1.string()
+	]), z$1.object({
+		proof_signing_alg_values_supported: z$1.array(z$1.string()),
+		key_attestations_required: z$1.object({
 			key_storage: zIso18045OrStringArray.optional(),
 			user_authentication: zIso18045OrStringArray.optional()
 		}).loose().optional()
 	})).optional(),
 	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.optional()
 }).loose();
-const zCredentialConfigurationSupportedCommonDraft15 = z.object({
-	format: z.string(),
-	scope: z.string().optional(),
-	cryptographic_binding_methods_supported: z.array(z.string()).optional(),
-	credential_signing_alg_values_supported: z.array(z.string()).optional(),
-	proof_types_supported: z.record(z.union([
-		z.literal("jwt"),
-		z.literal("attestation"),
-		z.string()
-	]), z.object({
-		proof_signing_alg_values_supported: z.array(z.string()),
-		key_attestations_required: z.object({
+const zCredentialConfigurationSupportedCommonDraft15 = z$1.object({
+	format: z$1.string(),
+	scope: z$1.string().optional(),
+	cryptographic_binding_methods_supported: z$1.array(z$1.string()).optional(),
+	credential_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	proof_types_supported: z$1.record(z$1.union([
+		z$1.literal("jwt"),
+		z$1.literal("attestation"),
+		z$1.string()
+	]), z$1.object({
+		proof_signing_alg_values_supported: z$1.array(z$1.string()),
+		key_attestations_required: z$1.object({
 			key_storage: zIso18045OrStringArray.optional(),
 			user_authentication: zIso18045OrStringArray.optional()
 		}).loose().optional()
 	})).optional(),
-	display: z.array(zCredentialConfigurationSupportedDisplayEntry).optional(),
-	credential_metadata: z.optional(z.never())
+	display: z$1.array(zCredentialConfigurationSupportedDisplayEntry).optional(),
+	credential_metadata: z$1.optional(z$1.never())
 }).loose();
 
 //#endregion
 //#region src/formats/credential/mso-mdoc/z-mso-mdoc.ts
-const zMsoMdocFormatIdentifier = z.literal("mso_mdoc");
+const zMsoMdocFormatIdentifier = z$1.literal("mso_mdoc");
 const zMsoMdocCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
 	format: zMsoMdocFormatIdentifier,
-	doctype: z.string(),
-	credential_signing_alg_values_supported: z.array(z.number()).optional(),
-	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z.array(zMsoMdocIssuerMetadataClaimsDescription).optional() }).optional()
+	doctype: z$1.string(),
+	credential_signing_alg_values_supported: z$1.array(z$1.number()).optional(),
+	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z$1.array(zMsoMdocIssuerMetadataClaimsDescription).optional() }).optional()
 });
 const zMsoMdocCredentialIssuerMetadataDraft15 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zMsoMdocFormatIdentifier,
-	doctype: z.string(),
-	claims: z.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
+	doctype: z$1.string(),
+	claims: z$1.array(zMsoMdocIssuerMetadataClaimsDescription).optional()
 });
 const zMsoMdocCredentialIssuerMetadataDraft14 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zMsoMdocFormatIdentifier,
-	doctype: z.string(),
+	doctype: z$1.string(),
 	claims: zCredentialConfigurationSupportedClaimsDraft14.optional(),
-	order: z.optional(z.array(z.string()))
+	order: z$1.optional(z$1.array(z$1.string()))
 });
-const zMsoMdocCredentialRequestFormatDraft14 = z.object({
+const zMsoMdocCredentialRequestFormatDraft14 = z$1.object({
 	format: zMsoMdocFormatIdentifier,
-	doctype: z.string(),
+	doctype: z$1.string(),
 	claims: zCredentialConfigurationSupportedClaimsDraft14.optional()
 });
 
 //#endregion
 //#region src/formats/credential/sd-jwt-dc/z-sd-jwt-dc.ts
-const zSdJwtDcFormatIdentifier = z.literal("dc+sd-jwt");
+const zSdJwtDcFormatIdentifier = z$1.literal("dc+sd-jwt");
 const zSdJwtDcCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
-	vct: z.string(),
+	vct: z$1.string(),
 	format: zSdJwtDcFormatIdentifier,
-	credential_signing_alg_values_supported: z.array(z.string()).optional(),
-	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z.array(zIssuerMetadataClaimsDescription).optional() }).optional()
+	credential_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z$1.array(zIssuerMetadataClaimsDescription).optional() }).optional()
 });
 const zSdJwtDcCredentialIssuerMetadataDraft15 = zCredentialConfigurationSupportedCommonDraft15.extend({
-	vct: z.string(),
+	vct: z$1.string(),
 	format: zSdJwtDcFormatIdentifier,
-	claims: z.array(zIssuerMetadataClaimsDescription).optional()
+	claims: z$1.array(zIssuerMetadataClaimsDescription).optional()
 });
 
 //#endregion
@@ -410,19 +854,19 @@ const zSdJwtDcCredentialIssuerMetadataDraft15 = zCredentialConfigurationSupporte
 * of the OpenID for Verifiable Presentations specification. Please update your
 * implementations accordingly.
 */
-const zLegacySdJwtVcFormatIdentifier = z.literal("vc+sd-jwt");
+const zLegacySdJwtVcFormatIdentifier = z$1.literal("vc+sd-jwt");
 /**
 * @deprecated format has been deprecated in favor of "dc+sd-jwt" since Draft 23
 * of the OpenID for Verifiable Presentations specification. Please update your
 * implementations accordingly.
 */
 const zLegacySdJwtVcCredentialIssuerMetadataV1 = zCredentialConfigurationSupportedCommon.extend({
-	vct: z.string(),
+	vct: z$1.string(),
 	format: zLegacySdJwtVcFormatIdentifier,
-	order: z.optional(z.array(z.string())),
-	credential_signing_alg_values_supported: z.array(z.string()).optional(),
-	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z.array(zIssuerMetadataClaimsDescription).optional() }).optional(),
-	credential_definition: z.optional(z.never())
+	order: z$1.optional(z$1.array(z$1.string())),
+	credential_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z$1.array(zIssuerMetadataClaimsDescription).optional() }).optional(),
+	credential_definition: z$1.optional(z$1.never())
 });
 /**
 * @deprecated format has been deprecated in favor of "dc+sd-jwt" since Draft 23
@@ -430,71 +874,71 @@ const zLegacySdJwtVcCredentialIssuerMetadataV1 = zCredentialConfigurationSupport
 * implementations accordingly.
 */
 const zLegacySdJwtVcCredentialIssuerMetadataDraft14 = zCredentialConfigurationSupportedCommonDraft15.extend({
-	vct: z.string(),
+	vct: z$1.string(),
 	format: zLegacySdJwtVcFormatIdentifier,
-	claims: z.optional(zCredentialConfigurationSupportedClaimsDraft14),
-	order: z.optional(z.array(z.string())),
-	credential_definition: z.optional(z.never())
+	claims: z$1.optional(zCredentialConfigurationSupportedClaimsDraft14),
+	order: z$1.optional(z$1.array(z$1.string())),
+	credential_definition: z$1.optional(z$1.never())
 });
 /**
 * @deprecated format has been deprecated in favor of "dc+sd-jwt" since Draft 23
 * of the OpenID for Verifiable Presentations specification. Please update your
 * implementations accordingly.
 */
-const zLegacySdJwtVcCredentialRequestFormatDraft14 = z.object({
+const zLegacySdJwtVcCredentialRequestFormatDraft14 = z$1.object({
 	format: zLegacySdJwtVcFormatIdentifier,
-	vct: z.string(),
-	claims: z.optional(zCredentialConfigurationSupportedClaimsDraft14),
-	credential_definition: z.optional(z.never())
+	vct: z$1.string(),
+	claims: z$1.optional(zCredentialConfigurationSupportedClaimsDraft14),
+	credential_definition: z$1.optional(z$1.never())
 });
 
 //#endregion
 //#region src/formats/credential/w3c-vc/z-w3c-vc-common.ts
-const zCredentialSubjectLeafTypeDraft14 = z.object({
-	mandatory: z.boolean().optional(),
-	value_type: z.string().optional(),
-	display: z.array(z.object({
-		name: z.string().optional(),
-		locale: z.string().optional()
+const zCredentialSubjectLeafTypeDraft14 = z$1.object({
+	mandatory: z$1.boolean().optional(),
+	value_type: z$1.string().optional(),
+	display: z$1.array(z$1.object({
+		name: z$1.string().optional(),
+		locale: z$1.string().optional()
 	}).loose()).optional()
 }).loose();
-const zClaimValueSchemaDraft14 = z.union([
-	z.array(z.any()),
-	z.record(z.string(), z.any()),
+const zClaimValueSchemaDraft14 = z$1.union([
+	z$1.array(z$1.any()),
+	z$1.record(z$1.string(), z$1.any()),
 	zCredentialSubjectLeafTypeDraft14
 ]);
-const zW3cVcCredentialSubjectDraft14 = z.record(z.string(), zClaimValueSchemaDraft14);
-const zW3cVcJsonLdCredentialDefinition = z.object({
-	"@context": z.array(z.string()),
-	type: z.tuple([z.string()], z.string())
+const zW3cVcCredentialSubjectDraft14 = z$1.record(z$1.string(), zClaimValueSchemaDraft14);
+const zW3cVcJsonLdCredentialDefinition = z$1.object({
+	"@context": z$1.array(z$1.string()),
+	type: z$1.tuple([z$1.string()], z$1.string())
 }).loose();
 const zW3cVcJsonLdCredentialDefinitionDraft14 = zW3cVcJsonLdCredentialDefinition.extend({ credentialSubject: zW3cVcCredentialSubjectDraft14.optional() });
 
 //#endregion
 //#region src/formats/credential/w3c-vc/z-w3c-jwt-vc-json.ts
-const zJwtVcJsonFormatIdentifier = z.literal("jwt_vc_json");
-const zJwtVcJsonCredentialDefinition = z.object({ type: z.tuple([z.string()], z.string()) }).loose();
+const zJwtVcJsonFormatIdentifier = z$1.literal("jwt_vc_json");
+const zJwtVcJsonCredentialDefinition = z$1.object({ type: z$1.tuple([z$1.string()], z$1.string()) }).loose();
 const zJwtVcJsonCredentialDefinitionDraft14 = zJwtVcJsonCredentialDefinition.extend({ credentialSubject: zW3cVcCredentialSubjectDraft14.optional() });
 const zJwtVcJsonCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
 	format: zJwtVcJsonFormatIdentifier,
 	credential_definition: zJwtVcJsonCredentialDefinition,
-	credential_signing_alg_values_supported: z.array(z.string()).optional(),
-	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z.array(zIssuerMetadataClaimsDescription).optional() }).optional()
+	credential_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z$1.array(zIssuerMetadataClaimsDescription).optional() }).optional()
 });
 const zJwtVcJsonCredentialIssuerMetadataDraft15 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zJwtVcJsonFormatIdentifier,
 	credential_definition: zJwtVcJsonCredentialDefinition,
-	claims: z.array(zIssuerMetadataClaimsDescription).optional()
+	claims: z$1.array(zIssuerMetadataClaimsDescription).optional()
 });
 const zJwtVcJsonCredentialIssuerMetadataDraft14 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zJwtVcJsonFormatIdentifier,
 	credential_definition: zJwtVcJsonCredentialDefinitionDraft14,
-	order: z.array(z.string()).optional()
+	order: z$1.array(z$1.string()).optional()
 });
-const zJwtVcJsonCredentialIssuerMetadataDraft11 = z.object({
+const zJwtVcJsonCredentialIssuerMetadataDraft11 = z$1.object({
 	format: zJwtVcJsonFormatIdentifier,
-	order: z.array(z.string()).optional(),
-	types: z.tuple([z.string()], z.string()),
+	order: z$1.array(z$1.string()).optional(),
+	types: z$1.tuple([z$1.string()], z$1.string()),
 	credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).loose();
 const zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMetadataDraft11.transform(({ types, credentialSubject, ...rest }) => ({
@@ -509,14 +953,14 @@ const zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuer
 	types: type,
 	...credentialDefinition
 })).pipe(zJwtVcJsonCredentialIssuerMetadataDraft11);
-const zJwtVcJsonCredentialRequestFormatDraft14 = z.object({
+const zJwtVcJsonCredentialRequestFormatDraft14 = z$1.object({
 	format: zJwtVcJsonFormatIdentifier,
 	credential_definition: zJwtVcJsonCredentialDefinition
 });
-const zJwtVcJsonCredentialRequestDraft11 = z.object({
+const zJwtVcJsonCredentialRequestDraft11 = z$1.object({
 	format: zJwtVcJsonFormatIdentifier,
-	types: z.tuple([z.string()], z.string()),
-	credentialSubject: z.optional(zW3cVcCredentialSubjectDraft14)
+	types: z$1.tuple([z$1.string()], z$1.string()),
+	credentialSubject: z$1.optional(zW3cVcCredentialSubjectDraft14)
 }).loose();
 const zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.transform(({ types, credentialSubject, ...rest }) => {
 	return {
@@ -535,28 +979,28 @@ const zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormat
 
 //#endregion
 //#region src/formats/credential/w3c-vc/z-w3c-jwt-vc-json-ld.ts
-const zJwtVcJsonLdFormatIdentifier = z.literal("jwt_vc_json-ld");
+const zJwtVcJsonLdFormatIdentifier = z$1.literal("jwt_vc_json-ld");
 const zJwtVcJsonLdCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
 	format: zJwtVcJsonLdFormatIdentifier,
 	credential_definition: zW3cVcJsonLdCredentialDefinition,
-	credential_signing_alg_values_supported: z.array(z.string()).optional(),
-	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z.array(zIssuerMetadataClaimsDescription).optional() }).optional()
+	credential_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z$1.array(zIssuerMetadataClaimsDescription).optional() }).optional()
 });
 const zJwtVcJsonLdCredentialIssuerMetadataDraft15 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zJwtVcJsonLdFormatIdentifier,
 	credential_definition: zW3cVcJsonLdCredentialDefinition,
-	claims: z.array(zIssuerMetadataClaimsDescription).optional()
+	claims: z$1.array(zIssuerMetadataClaimsDescription).optional()
 });
 const zJwtVcJsonLdCredentialIssuerMetadataDraft14 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zJwtVcJsonLdFormatIdentifier,
 	credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
-	order: z.optional(z.array(z.string()))
+	order: z$1.optional(z$1.array(z$1.string()))
 });
-const zJwtVcJsonLdCredentialIssuerMetadataDraft11 = z.object({
-	order: z.array(z.string()).optional(),
+const zJwtVcJsonLdCredentialIssuerMetadataDraft11 = z$1.object({
+	order: z$1.array(z$1.string()).optional(),
 	format: zJwtVcJsonLdFormatIdentifier,
-	"@context": z.array(z.string()),
-	types: z.tuple([z.string()], z.string()),
+	"@context": z$1.array(z$1.string()),
+	types: z$1.tuple([z$1.string()], z$1.string()),
 	credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).loose();
 const zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssuerMetadataDraft11.transform(({ "@context": context, types, credentialSubject, ...rest }) => ({
@@ -572,16 +1016,16 @@ const zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIs
 	...credentialDefinition,
 	types: type
 })).pipe(zJwtVcJsonLdCredentialIssuerMetadataDraft11);
-const zJwtVcJsonLdCredentialRequestFormatDraft14 = z.object({
+const zJwtVcJsonLdCredentialRequestFormatDraft14 = z$1.object({
 	format: zJwtVcJsonLdFormatIdentifier,
 	credential_definition: zW3cVcJsonLdCredentialDefinition
 });
-const zJwtVcJsonLdCredentialRequestDraft11 = z.object({
+const zJwtVcJsonLdCredentialRequestDraft11 = z$1.object({
 	format: zJwtVcJsonLdFormatIdentifier,
-	credential_definition: z.object({
-		"@context": z.array(z.string()),
-		types: z.tuple([z.string()], z.string()),
-		credentialSubject: z.optional(zW3cVcCredentialSubjectDraft14)
+	credential_definition: z$1.object({
+		"@context": z$1.array(z$1.string()),
+		types: z$1.tuple([z$1.string()], z$1.string()),
+		credentialSubject: z$1.optional(zW3cVcCredentialSubjectDraft14)
 	}).loose()
 }).loose();
 const zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraft11.transform(({ credential_definition: { types, ...restCredentialDefinition }, ...rest }) => ({
@@ -601,28 +1045,28 @@ const zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestFo
 
 //#endregion
 //#region src/formats/credential/w3c-vc/z-w3c-ldp-vc.ts
-const zLdpVcFormatIdentifier = z.literal("ldp_vc");
+const zLdpVcFormatIdentifier = z$1.literal("ldp_vc");
 const zLdpVcCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
 	format: zLdpVcFormatIdentifier,
 	credential_definition: zW3cVcJsonLdCredentialDefinition,
-	credential_signing_alg_values_supported: z.array(z.string()).optional(),
-	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z.array(zIssuerMetadataClaimsDescription).optional() }).optional()
+	credential_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z$1.array(zIssuerMetadataClaimsDescription).optional() }).optional()
 });
 const zLdpVcCredentialIssuerMetadataDraft15 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zLdpVcFormatIdentifier,
 	credential_definition: zW3cVcJsonLdCredentialDefinition,
-	claims: z.array(zIssuerMetadataClaimsDescription).optional()
+	claims: z$1.array(zIssuerMetadataClaimsDescription).optional()
 });
 const zLdpVcCredentialIssuerMetadataDraft14 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zLdpVcFormatIdentifier,
 	credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14,
-	order: z.array(z.string()).optional()
+	order: z$1.array(z$1.string()).optional()
 });
-const zLdpVcCredentialIssuerMetadataDraft11 = z.object({
-	order: z.array(z.string()).optional(),
+const zLdpVcCredentialIssuerMetadataDraft11 = z$1.object({
+	order: z$1.array(z$1.string()).optional(),
 	format: zLdpVcFormatIdentifier,
-	"@context": z.array(z.string()),
-	types: z.tuple([z.string()], z.string()),
+	"@context": z$1.array(z$1.string()),
+	types: z$1.tuple([z$1.string()], z$1.string()),
 	credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 }).loose();
 const zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDraft11.transform(({ "@context": context, types, credentialSubject, ...rest }) => ({
@@ -638,15 +1082,15 @@ const zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadata
 	...credentialDefinition,
 	types: type
 })).pipe(zLdpVcCredentialIssuerMetadataDraft11);
-const zLdpVcCredentialRequestFormatDraft14 = z.object({
+const zLdpVcCredentialRequestFormatDraft14 = z$1.object({
 	format: zLdpVcFormatIdentifier,
 	credential_definition: zW3cVcJsonLdCredentialDefinitionDraft14
 });
-const zLdpVcCredentialRequestDraft11 = z.object({
+const zLdpVcCredentialRequestDraft11 = z$1.object({
 	format: zLdpVcFormatIdentifier,
-	credential_definition: z.object({
-		"@context": z.array(z.string()),
-		types: z.tuple([z.string()], z.string()),
+	credential_definition: z$1.object({
+		"@context": z$1.array(z$1.string()),
+		types: z$1.tuple([z$1.string()], z$1.string()),
 		credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 	})
 }).loose();
@@ -667,25 +1111,25 @@ const zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormatDraft14.
 
 //#endregion
 //#region src/formats/credential/w3c-vc/z-w3c-sd-jwt-vc.ts
-const zSdJwtW3VcFormatIdentifier = z.literal("vc+sd-jwt");
-const zSdJwtW3VcCredentialDefinition = z.object({ type: z.tuple([z.string()], z.string()) }).loose();
+const zSdJwtW3VcFormatIdentifier = z$1.literal("vc+sd-jwt");
+const zSdJwtW3VcCredentialDefinition = z$1.object({ type: z$1.tuple([z$1.string()], z$1.string()) }).loose();
 const zSdJwtW3VcCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
 	format: zSdJwtW3VcFormatIdentifier,
 	credential_definition: zSdJwtW3VcCredentialDefinition,
-	credential_signing_alg_values_supported: z.array(z.string()).optional(),
-	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z.array(zIssuerMetadataClaimsDescription).optional() }).optional(),
-	vct: z.optional(z.never())
+	credential_signing_alg_values_supported: z$1.array(z$1.string()).optional(),
+	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.extend({ claims: z$1.array(zIssuerMetadataClaimsDescription).optional() }).optional(),
+	vct: z$1.optional(z$1.never())
 });
 const zSdJwtW3VcCredentialIssuerMetadataDraft15 = zCredentialConfigurationSupportedCommonDraft15.extend({
 	format: zSdJwtW3VcFormatIdentifier,
 	credential_definition: zSdJwtW3VcCredentialDefinition,
-	claims: z.array(zIssuerMetadataClaimsDescription).optional(),
-	vct: z.optional(z.never())
+	claims: z$1.array(zIssuerMetadataClaimsDescription).optional(),
+	vct: z$1.optional(z$1.never())
 });
-const zSdJwtW3VcCredentialRequestFormatDraft14 = z.object({
+const zSdJwtW3VcCredentialRequestFormatDraft14 = z$1.object({
 	format: zSdJwtW3VcFormatIdentifier,
 	credential_definition: zSdJwtW3VcCredentialDefinition,
-	vct: z.optional(z.never())
+	vct: z$1.optional(z$1.never())
 });
 
 //#endregion
@@ -711,50 +1155,50 @@ const allCredentialIssuerMetadataFormats = [
 	zJwtVcJsonCredentialIssuerMetadataDraft14
 ];
 const allCredentialIssuerMetadataFormatIdentifiers = allCredentialIssuerMetadataFormats.map((format) => format.shape.format.value);
-const zCredentialConfigurationSupportedWithFormats = z.union([zCredentialConfigurationSupportedCommon, zCredentialConfigurationSupportedCommonDraft15]).transform((data, ctx) => {
+const zCredentialConfigurationSupportedWithFormats = z$1.union([zCredentialConfigurationSupportedCommon, zCredentialConfigurationSupportedCommonDraft15]).transform((data, ctx) => {
 	if (!allCredentialIssuerMetadataFormatIdentifiers.includes(data.format)) return data;
 	const validators = allCredentialIssuerMetadataFormats.filter((formatValidator) => formatValidator.shape.format.value === data.format);
-	const result = z.object({}).loose().and(validators.length > 1 ? z.union(validators) : validators[0]).safeParse(data);
+	const result = z$1.object({}).loose().and(validators.length > 1 ? z$1.union(validators) : validators[0]).safeParse(data);
 	if (result.success) return result.data;
 	for (const issue of result.error.issues) ctx.addIssue({
 		...issue,
 		code: issue.code
 	});
-	return z.NEVER;
+	return z$1.NEVER;
 });
-const zCredentialIssuerMetadataDisplayEntry = z.object({
-	name: z.string().optional(),
-	locale: z.string().optional(),
-	logo: z.object({
+const zCredentialIssuerMetadataDisplayEntry = z$1.object({
+	name: z$1.string().optional(),
+	locale: z$1.string().optional(),
+	logo: z$1.object({
 		uri: zHttpsUrl.or(zDataUrl).optional(),
-		alt_text: z.string().optional()
+		alt_text: z$1.string().optional()
 	}).loose().optional()
 }).loose();
-const zCredentialIssuerMetadataDraft14Draft15V1 = z.object({
+const zCredentialIssuerMetadataDraft14Draft15V1 = z$1.object({
 	credential_issuer: zHttpsUrl,
-	authorization_servers: z.array(zHttpsUrl).optional(),
+	authorization_servers: z$1.array(zHttpsUrl).optional(),
 	credential_endpoint: zHttpsUrl,
 	deferred_credential_endpoint: zHttpsUrl.optional(),
 	notification_endpoint: zHttpsUrl.optional(),
 	nonce_endpoint: zHttpsUrl.optional(),
-	credential_response_encryption: z.object({
-		alg_values_supported: z.array(z.string()),
-		enc_values_supported: z.array(z.string()),
-		encryption_required: z.boolean()
+	credential_response_encryption: z$1.object({
+		alg_values_supported: z$1.array(z$1.string()),
+		enc_values_supported: z$1.array(z$1.string()),
+		encryption_required: z$1.boolean()
 	}).loose().optional(),
-	batch_credential_issuance: z.object({ batch_size: z.number().positive() }).loose().optional(),
-	display: z.array(zCredentialIssuerMetadataDisplayEntry).optional(),
-	credential_configurations_supported: z.record(z.string(), zCredentialConfigurationSupportedCommon)
+	batch_credential_issuance: z$1.object({ batch_size: z$1.number().positive() }).loose().optional(),
+	display: z$1.array(zCredentialIssuerMetadataDisplayEntry).optional(),
+	credential_configurations_supported: z$1.record(z$1.string(), zCredentialConfigurationSupportedCommon)
 }).loose();
-const zCredentialConfigurationSupportedDraft11ToV1 = z.object({
-	id: z.string().optional(),
-	format: z.string(),
-	cryptographic_suites_supported: z.array(z.string()).optional(),
-	display: z.array(z.object({
-		logo: z.object({ url: zHttpsUrl.or(zDataUrl).optional() }).loose().optional(),
-		background_image: z.object({ url: zHttpsUrl.or(zDataUrl).optional() }).loose().optional()
+const zCredentialConfigurationSupportedDraft11ToV1 = z$1.object({
+	id: z$1.string().optional(),
+	format: z$1.string(),
+	cryptographic_suites_supported: z$1.array(z$1.string()).optional(),
+	display: z$1.array(z$1.object({
+		logo: z$1.object({ url: zHttpsUrl.or(zDataUrl).optional() }).loose().optional(),
+		background_image: z$1.object({ url: zHttpsUrl.or(zDataUrl).optional() }).loose().optional()
 	}).loose()).optional(),
-	claims: z.any().transform((claims) => claimsObjectToClaimsArray(claims)).optional()
+	claims: z$1.any().transform((claims) => claimsObjectToClaimsArray(claims)).optional()
 }).loose().transform(({ cryptographic_suites_supported, display, claims, id, format, ...rest }) => ({
 	...rest,
 	format: format === "vc+sd-jwt" && rest.vct ? "dc+sd-jwt" : format,
@@ -780,7 +1224,7 @@ const zCredentialConfigurationSupportedDraft11ToV1 = z.object({
 		...issue,
 		code: issue.code
 	});
-	return z.NEVER;
+	return z$1.NEVER;
 }).pipe(zCredentialConfigurationSupportedWithFormats);
 const zCredentialConfigurationSupportedV1ToDraft11 = zCredentialConfigurationSupportedWithFormats.transform(({ credential_metadata, ...rest }) => ({
 	...credential_metadata,
@@ -794,7 +1238,7 @@ const zCredentialConfigurationSupportedV1ToDraft11 = zCredentialConfigurationSup
 			path: ["id"],
 			message: "Missing required id field"
 		});
-		return z.NEVER;
+		return z$1.NEVER;
 	}
 	return {
 		...configuration,
@@ -821,26 +1265,26 @@ const zCredentialConfigurationSupportedV1ToDraft11 = zCredentialConfigurationSup
 		};
 	}) } : {},
 	id
-})).pipe(z.union([
+})).pipe(z$1.union([
 	zLdpVcCredentialIssuerMetadataDraft14To11,
 	zJwtVcJsonCredentialIssuerMetadataDraft14To11,
 	zJwtVcJsonLdCredentialIssuerMetadataDraft14To11,
-	z.object({ format: z.string().refine((input) => ![
+	z$1.object({ format: z$1.string().refine((input) => ![
 		zLdpVcFormatIdentifier.value,
 		zJwtVcJsonFormatIdentifier.value,
 		zJwtVcJsonLdFormatIdentifier.value
 	].includes(input)) }).loose()
 ]));
-const zCredentialIssuerMetadataDraft11ToV1 = z.object({
-	authorization_server: z.string().optional(),
-	credentials_supported: z.array(z.object({ id: z.string().optional() }).loose())
+const zCredentialIssuerMetadataDraft11ToV1 = z$1.object({
+	authorization_server: z$1.string().optional(),
+	credentials_supported: z$1.array(z$1.object({ id: z$1.string().optional() }).loose())
 }).loose().transform(({ authorization_server, credentials_supported, ...rest }) => {
 	return {
 		...rest,
 		...authorization_server ? { authorization_servers: [authorization_server] } : {},
 		credential_configurations_supported: Object.fromEntries(credentials_supported.map((supported) => supported.id ? [supported.id, supported] : void 0).filter((i) => i !== void 0))
 	};
-}).pipe(z.object({ credential_configurations_supported: z.record(z.string(), zCredentialConfigurationSupportedDraft11ToV1) }).loose()).pipe(zCredentialIssuerMetadataDraft14Draft15V1);
+}).pipe(z$1.object({ credential_configurations_supported: z$1.record(z$1.string(), zCredentialConfigurationSupportedDraft11ToV1) }).loose()).pipe(zCredentialIssuerMetadataDraft14Draft15V1);
 const zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15V1.transform((issuerMetadata) => ({
 	...issuerMetadata,
 	...issuerMetadata.authorization_servers ? { authorization_server: issuerMetadata.authorization_servers[0] } : {},
@@ -848,9 +1292,9 @@ const zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Dra
 		...value,
 		id
 	}))
-})).pipe(zCredentialIssuerMetadataDraft14Draft15V1.extend({ credentials_supported: z.array(zCredentialConfigurationSupportedV1ToDraft11) }));
-const zCredentialIssuerMetadata = z.union([zCredentialIssuerMetadataDraft14Draft15V1, zCredentialIssuerMetadataDraft11ToV1]);
-const zCredentialIssuerMetadataWithDraftVersion = z.union([zCredentialIssuerMetadataDraft14Draft15V1.transform((credentialIssuerMetadata) => {
+})).pipe(zCredentialIssuerMetadataDraft14Draft15V1.extend({ credentials_supported: z$1.array(zCredentialConfigurationSupportedV1ToDraft11) }));
+const zCredentialIssuerMetadata = z$1.union([zCredentialIssuerMetadataDraft14Draft15V1, zCredentialIssuerMetadataDraft11ToV1]);
+const zCredentialIssuerMetadataWithDraftVersion = z$1.union([zCredentialIssuerMetadataDraft14Draft15V1.transform((credentialIssuerMetadata) => {
 	const credentialConfigurations = Object.values(credentialIssuerMetadata.credential_configurations_supported);
 	const isDraft15 = credentialConfigurations.some((configuration) => {
 		const knownConfiguration = configuration;
@@ -929,16 +1373,25 @@ function claimsObjectToClaimsArray(claims) {
 	return result;
 }
 
+//#endregion
+//#region src/authorization-flow.ts
+let AuthorizationFlow = /* @__PURE__ */ function(AuthorizationFlow$1) {
+	AuthorizationFlow$1["Oauth2Redirect"] = "Oauth2Redirect";
+	AuthorizationFlow$1["PresentationDuringIssuance"] = "PresentationDuringIssuance";
+	AuthorizationFlow$1["InteractiveAuthorizationOpenid4vp"] = "InteractiveAuthorizationOpenid4vp";
+	return AuthorizationFlow$1;
+}({});
+
 //#endregion
 //#region src/metadata/credential-issuer/z-signed-credential-issuer-metadata.ts
-const zSignedCredentialIssuerMetadataHeader = z.object({
+const zSignedCredentialIssuerMetadataHeader = z$1.object({
 	...zJwtHeader.shape,
-	typ: z.literal("openidvci-issuer-metadata+jwt")
+	typ: z$1.literal("openidvci-issuer-metadata+jwt")
 }).loose();
-const zSignedCredentialIssuerMetadataPayload = z.object({
+const zSignedCredentialIssuerMetadataPayload = z$1.object({
 	...zJwtPayload.shape,
 	iat: zNumericDate,
-	sub: z.string(),
+	sub: z$1.string(),
 	...zCredentialIssuerMetadataDraft14Draft15V1.shape
 }).loose();
 
@@ -1078,9 +1531,9 @@ function getCredentialRequestFormatPayloadForCredentialConfigurationId(options)
 
 //#endregion
 //#region src/formats/proof-type/attestation/z-attestation-proof-type.ts
-const zAttestationProofTypeIdentifier = z.literal("attestation");
+const zAttestationProofTypeIdentifier = z$1.literal("attestation");
 const attestationProofTypeIdentifier = zAttestationProofTypeIdentifier.value;
-const zCredentialRequestProofAttestation = z.object({
+const zCredentialRequestProofAttestation = z$1.object({
 	proof_type: zAttestationProofTypeIdentifier,
 	attestation: zCompactJwt
 });
@@ -1088,40 +1541,40 @@ const zCredentialRequestAttestationProofTypePayload = zKeyAttestationJwtPayloadF
 
 //#endregion
 //#region src/formats/proof-type/jwt/z-jwt-proof-type.ts
-const zJwtProofTypeIdentifier = z.literal("jwt");
+const zJwtProofTypeIdentifier = z$1.literal("jwt");
 const jwtProofTypeIdentifier = zJwtProofTypeIdentifier.value;
-const zCredentialRequestProofJwt = z.object({
+const zCredentialRequestProofJwt = z$1.object({
 	proof_type: zJwtProofTypeIdentifier,
 	jwt: zCompactJwt
 });
 const zCredentialRequestJwtProofTypeHeader = zJwtHeader.extend({
-	key_attestation: z.optional(zCompactJwt),
-	typ: z.literal("openid4vci-proof+jwt")
+	key_attestation: z$1.optional(zCompactJwt),
+	typ: z$1.literal("openid4vci-proof+jwt")
 }).loose().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, { message: `Both 'jwk' and 'kid' are defined. Only one is allowed` }).refine(({ trust_chain, kid }) => !trust_chain || !kid, { message: `When 'trust_chain' is provided, 'kid' is required` });
-const zCredentialRequestJwtProofTypePayload = z.object({
+const zCredentialRequestJwtProofTypePayload = z$1.object({
 	...zJwtPayload.shape,
-	aud: z.union([zHttpsUrl, z.array(zHttpsUrl)]),
+	aud: z$1.union([zHttpsUrl, z$1.array(zHttpsUrl)]),
 	iat: zNumericDate
 }).loose();
 
 //#endregion
 //#region src/credential-request/z-credential-request-common.ts
-const zCredentialRequestProofCommon = z.object({ proof_type: z.string() }).loose();
+const zCredentialRequestProofCommon = z$1.object({ proof_type: z$1.string() }).loose();
 const allCredentialRequestProofs = [zCredentialRequestProofJwt, zCredentialRequestProofAttestation];
-const zCredentialRequestProof = z.union([zCredentialRequestProofCommon, z.discriminatedUnion("proof_type", allCredentialRequestProofs)]);
-const zCredentialRequestProofsCommon = z.record(z.string(), z.array(z.unknown()));
-const zCredentialRequestProofs = z.object({
-	[zJwtProofTypeIdentifier.value]: z.optional(z.array(zCredentialRequestProofJwt.shape.jwt)),
-	[zAttestationProofTypeIdentifier.value]: z.optional(z.array(zCredentialRequestProofAttestation.shape.attestation))
+const zCredentialRequestProof = z$1.union([zCredentialRequestProofCommon, z$1.discriminatedUnion("proof_type", allCredentialRequestProofs)]);
+const zCredentialRequestProofsCommon = z$1.record(z$1.string(), z$1.array(z$1.unknown()));
+const zCredentialRequestProofs = z$1.object({
+	[zJwtProofTypeIdentifier.value]: z$1.optional(z$1.array(zCredentialRequestProofJwt.shape.jwt)),
+	[zAttestationProofTypeIdentifier.value]: z$1.optional(z$1.array(zCredentialRequestProofAttestation.shape.attestation))
 });
-const zCredentialResponseEncryption = z.object({
+const zCredentialResponseEncryption = z$1.object({
 	jwk: zJwk,
-	alg: z.string(),
-	enc: z.string()
+	alg: z$1.string(),
+	enc: z$1.string()
 }).loose();
-const zCredentialRequestCommon = z.object({
+const zCredentialRequestCommon = z$1.object({
 	proof: zCredentialRequestProof.optional(),
-	proofs: z.optional(z.intersection(zCredentialRequestProofsCommon, zCredentialRequestProofs).refine((proofs) => Object.values(proofs).length === 1, { message: `The 'proofs' object in a credential request should contain exactly one attribute` })),
+	proofs: z$1.optional(z$1.intersection(zCredentialRequestProofsCommon, zCredentialRequestProofs).refine((proofs) => Object.values(proofs).length === 1, { message: `The 'proofs' object in a credential request should contain exactly one attribute` })),
 	credential_response_encryption: zCredentialResponseEncryption.optional()
 }).loose().refine(({ proof, proofs }) => !(proof !== void 0 && proofs !== void 0), { message: `Both 'proof' and 'proofs' are defined. Only one is allowed` });
 
@@ -1136,31 +1589,31 @@ const allCredentialRequestFormats = [
 	zLegacySdJwtVcCredentialRequestFormatDraft14
 ];
 const allCredentialRequestFormatIdentifiers = allCredentialRequestFormats.map((format) => format.shape.format.value);
-const zCredentialRequestCredentialConfigurationId = z.object({
-	credential_configuration_id: z.string(),
-	credential_identifier: z.never({ message: "'credential_identifier' cannot be defined when 'credential_configuration_id' is set." }).optional()
+const zCredentialRequestCredentialConfigurationId = z$1.object({
+	credential_configuration_id: z$1.string(),
+	credential_identifier: z$1.never({ message: "'credential_identifier' cannot be defined when 'credential_configuration_id' is set." }).optional()
 });
-const zAuthorizationDetailsCredentialRequest = z.object({
-	credential_identifier: z.string(),
-	credential_configuration_id: z.never({ message: "'credential_configuration_id' cannot be defined when 'credential_identifier' is set." }).optional()
+const zAuthorizationDetailsCredentialRequest = z$1.object({
+	credential_identifier: z$1.string(),
+	credential_configuration_id: z$1.never({ message: "'credential_configuration_id' cannot be defined when 'credential_identifier' is set." }).optional()
 });
-const zCredentialRequestFormat = z.object({
-	format: z.string(),
-	credential_identifier: z.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional(),
-	credential_configuration_id: z.never({ message: "'credential_configuration_id' cannot be defined when 'format' is set." }).optional()
+const zCredentialRequestFormat = z$1.object({
+	format: z$1.string(),
+	credential_identifier: z$1.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional(),
+	credential_configuration_id: z$1.never({ message: "'credential_configuration_id' cannot be defined when 'format' is set." }).optional()
 }).loose();
 const zCredentialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
 	if (!allCredentialRequestFormatIdentifiers.includes(data.format)) return data;
-	const result = z.object({}).loose().and(z.union(allCredentialRequestFormats)).safeParse(data);
+	const result = z$1.object({}).loose().and(z$1.union(allCredentialRequestFormats)).safeParse(data);
 	if (result.success) return result.data;
 	for (const issue of result.error.issues) ctx.addIssue({
 		...issue,
 		code: issue.code
 	});
-	return z.NEVER;
+	return z$1.NEVER;
 });
-const zCredentialRequestDraft15 = z.union([zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest), zCredentialRequestCommon.and(zCredentialRequestCredentialConfigurationId)]);
-const zCredentialRequestDraft14 = z.union([zCredentialRequestDraft14WithFormat, zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest)]);
+const zCredentialRequestDraft15 = z$1.union([zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest), zCredentialRequestCommon.and(zCredentialRequestCredentialConfigurationId)]);
+const zCredentialRequestDraft14 = z$1.union([zCredentialRequestDraft14WithFormat, zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest)]);
 const zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
 	const formatSpecificTransformations = {
 		[zLdpVcFormatIdentifier.value]: zLdpVcCredentialRequestDraft11To14,
@@ -1174,7 +1627,7 @@ const zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRe
 		...issue,
 		code: issue.code
 	});
-	return z.NEVER;
+	return z$1.NEVER;
 }).pipe(zCredentialRequestDraft14);
 const zCredentialRequestDraft14To11 = zCredentialRequestDraft14.transform((data, ctx) => {
 	if (data.credential_identifier !== void 0) {
@@ -1184,7 +1637,7 @@ const zCredentialRequestDraft14To11 = zCredentialRequestDraft14.transform((data,
 			message: `'credential_identifier' is not supported in OpenID4VCI draft 11`,
 			path: ["credential_identifier"]
 		});
-		return z.NEVER;
+		return z$1.NEVER;
 	}
 	const formatSpecificTransformations = {
 		[zLdpVcFormatIdentifier.value]: zLdpVcCredentialRequestDraft14To11,
@@ -1198,15 +1651,15 @@ const zCredentialRequestDraft14To11 = zCredentialRequestDraft14.transform((data,
 		...issue,
 		code: issue.code
 	});
-	return z.NEVER;
+	return z$1.NEVER;
 });
-const zCredentialRequest = z.union([
+const zCredentialRequest = z$1.union([
 	zCredentialRequestDraft15,
 	zCredentialRequestDraft14,
 	zCredentialRequestDraft11To14
 ]);
-const zDeferredCredentialRequest = z.object({
-	transaction_id: z.string().nonempty(),
+const zDeferredCredentialRequest = z$1.object({
+	transaction_id: z$1.string().nonempty(),
 	credential_response_encryption: zCredentialResponseEncryption.optional()
 });
 
@@ -1238,6 +1691,7 @@ let Oauth2ErrorCodes$1 = /* @__PURE__ */ function(Oauth2ErrorCodes$2) {
 	Oauth2ErrorCodes$2["InvalidTransactionId"] = "invalid_transaction_id";
 	Oauth2ErrorCodes$2["UnsupportedCredentialType"] = "unsupported_credential_type";
 	Oauth2ErrorCodes$2["UnsupportedCredentialFormat"] = "unsupported_credential_format";
+	Oauth2ErrorCodes$2["MissingInteractionType"] = "missing_interaction_type";
 	Oauth2ErrorCodes$2["InvalidRequestUri"] = "invalid_request_uri";
 	Oauth2ErrorCodes$2["InvalidRequestObject"] = "invalid_request_object";
 	Oauth2ErrorCodes$2["RequestNotSupported"] = "request_not_supported";
@@ -1251,25 +1705,25 @@ let Oauth2ErrorCodes$1 = /* @__PURE__ */ function(Oauth2ErrorCodes$2) {
 	Oauth2ErrorCodes$2["WalletUnavailable"] = "wallet_unavailable";
 	return Oauth2ErrorCodes$2;
 }({});
-const zOauth2ErrorResponse = z.object({
-	error: z.union([z.enum(Oauth2ErrorCodes$1), z.string()]),
-	error_description: z.string().optional(),
-	error_uri: z.string().optional()
+const zOauth2ErrorResponse$1 = z$1.object({
+	error: z$1.union([z$1.enum(Oauth2ErrorCodes$1), z$1.string()]),
+	error_description: z$1.string().optional(),
+	error_uri: z$1.string().optional()
 }).loose();
 
 //#endregion
 //#region src/credential-request/z-credential-response.ts
-const zCredentialEncoding = z.union([z.string(), z.record(z.string(), z.any())]);
-const zBaseCredentialResponse = z.object({
-	credentials: z.union([z.array(z.object({ credential: zCredentialEncoding })), z.array(zCredentialEncoding)]).optional(),
-	notification_id: z.string().optional(),
-	transaction_id: z.string().optional(),
-	interval: z.number().int().positive().optional()
+const zCredentialEncoding = z$1.union([z$1.string(), z$1.record(z$1.string(), z$1.any())]);
+const zBaseCredentialResponse = z$1.object({
+	credentials: z$1.union([z$1.array(z$1.object({ credential: zCredentialEncoding })), z$1.array(zCredentialEncoding)]).optional(),
+	notification_id: z$1.string().optional(),
+	transaction_id: z$1.string().optional(),
+	interval: z$1.number().int().positive().optional()
 }).loose();
 const zCredentialResponse = zBaseCredentialResponse.extend({
-	credential: z.optional(zCredentialEncoding),
-	c_nonce: z.string().optional(),
-	c_nonce_expires_in: z.number().int().optional()
+	credential: z$1.optional(zCredentialEncoding),
+	c_nonce: z$1.string().optional(),
+	c_nonce_expires_in: z$1.number().int().optional()
 }).loose().superRefine((value, ctx) => {
 	const { credential, credentials, transaction_id, interval, notification_id } = value;
 	if ([credential || credentials, transaction_id].filter((i) => i !== void 0).length !== 1) ctx.addIssue({
@@ -1285,10 +1739,10 @@ const zCredentialResponse = zBaseCredentialResponse.extend({
 		message: `'notification_id' MUST NOT be defined when 'credential' or 'credentials' are not defined.`
 	});
 });
-const zCredentialErrorResponse = z.object({
-	...zOauth2ErrorResponse.shape,
-	c_nonce: z.string().optional(),
-	c_nonce_expires_in: z.number().int().optional()
+const zCredentialErrorResponse = z$1.object({
+	...zOauth2ErrorResponse$1.shape,
+	c_nonce: z$1.string().optional(),
+	c_nonce_expires_in: z$1.number().int().optional()
 }).loose();
 const zDeferredCredentialResponse = zBaseCredentialResponse.superRefine((value, ctx) => {
 	const { credentials, transaction_id, interval, notification_id } = value;
@@ -1579,9 +2033,9 @@ async function resolveIssuerMetadata(credentialIssuer, options) {
 
 //#endregion
 //#region src/nonce/z-nonce.ts
-const zNonceResponse = z.object({
-	c_nonce: z.string(),
-	c_nonce_expires_in: z.optional(zInteger)
+const zNonceResponse = z$1.object({
+	c_nonce: z$1.string(),
+	c_nonce_expires_in: z$1.optional(zInteger)
 }).loose();
 
 //#endregion
@@ -1598,7 +2052,7 @@ async function requestNonce(options) {
 	const nonceEndpoint = options.issuerMetadata.credentialIssuer.nonce_endpoint;
 	if (!nonceEndpoint) throw new Openid4vciError(`Credential issuer '${options.issuerMetadata.credentialIssuer.credential_issuer}' does not have a nonce endpoint.`);
 	const { response, result } = await fetchWithZod(zNonceResponse, ContentType.Json, nonceEndpoint, { method: "POST" });
-	if (!response.ok || !result) throw new InvalidFetchResponseError(`Requesting nonce from '${nonceEndpoint}' resulted in an unsuccessful response with status '${response.status}'`, await response.clone().text(), response);
+	if (!response.ok || !result) throw new InvalidFetchResponseError$1(`Requesting nonce from '${nonceEndpoint}' resulted in an unsuccessful response with status '${response.status}'`, await response.clone().text(), response);
 	if (!result.success) throw new ValidationError("Error parsing nonce response", result.error);
 	return result.data;
 }
@@ -1612,17 +2066,17 @@ function createNonceResponse(options) {
 
 //#endregion
 //#region src/notification/z-notification.ts
-const zNotificationEvent = z.enum([
+const zNotificationEvent = z$1.enum([
 	"credential_accepted",
 	"credential_failure",
 	"credential_deleted"
 ]);
-const zNotificationRequest = z.object({
-	notification_id: z.string(),
+const zNotificationRequest = z$1.object({
+	notification_id: z$1.string(),
 	event: zNotificationEvent,
-	event_description: z.optional(z.string())
+	event_description: z$1.optional(z$1.string())
 }).loose();
-const zNotificationErrorResponse = z.object({ error: z.enum(["invalid_notification_id", "invalid_notification_request"]) }).loose();
+const zNotificationErrorResponse = z$1.object({ error: z$1.enum(["invalid_notification_id", "invalid_notification_request"]) }).loose();
 
 //#endregion
 //#region src/notification/notification.ts
@@ -1657,11 +2111,6 @@ async function sendNotification(options) {
 
 //#endregion
 //#region src/Openid4vciClient.ts
-let AuthorizationFlow = /* @__PURE__ */ function(AuthorizationFlow$1) {
-	AuthorizationFlow$1["Oauth2Redirect"] = "Oauth2Redirect";
-	AuthorizationFlow$1["PresentationDuringIssuance"] = "PresentationDuringIssuance";
-	return AuthorizationFlow$1;
-}({});
 var Openid4vciClient = class {
 	constructor(options) {
 		this.options = options;
@@ -1678,7 +2127,9 @@ var Openid4vciClient = class {
 		return resolveIssuerMetadata(credentialIssuer, { callbacks: this.options.callbacks });
 	}
 	/**
-	* Retrieve an authorization code for a presentation during issuance session
+	* Retrieve an authorization code for a legacy presentation during issuance session
+	*
+	* This can only be called if the initiateAuthorization returned {@link AuthorizationFlow.PresentationDuringIssuance}.
 	*
 	* This can only be called if an authorization challenge was performed before and returned a
 	* `presentation` parameter along with an `auth_session`. If the presentation response included
@@ -1704,18 +2155,53 @@ var Openid4vciClient = class {
 		};
 	}
 	/**
-	* Initiates authorization for credential issuance. It handles the following cases:
-	* - Authorization Challenge
+	* Retrieve authorization code using Interactive Authorization Endpoint after OpenID4VP presentation
+	*
+	* This method is used when the Interactive Authorization Endpoint requires an OpenID4VP presentation.
+	* After completing the presentation, call this method with the auth_session and the openid4vp_response.
+	*
+	* @param options - Options including auth_session and openid4vp_response
+	* @returns The authorization code
+	*/
+	async retrieveAuthorizationCodeUsingInteractiveAuthorization(options) {
+		const authorizationCodeGrant = options.credentialOffer.grants?.[authorizationCodeGrantIdentifier];
+		if (!authorizationCodeGrant) throw new Oauth2Error(`Provided credential offer does not include the 'authorization_code' grant.`);
+		const authorizationServer = determineAuthorizationServerForCredentialOffer({
+			issuerMetadata: options.issuerMetadata,
+			grantAuthorizationServer: authorizationCodeGrant.authorization_server
+		});
+		const authorizationServerMetadata = getAuthorizationServerMetadataFromList(options.issuerMetadata.authorizationServers, authorizationServer);
+		if (!authorizationServerMetadata.interactive_authorization_endpoint) throw new Openid4vciError("Authorization server does not support interactive authorization endpoint");
+		const { interactiveAuthorizationResponse, dpop } = await this.sendInteractiveAuthorizationRequest({
+			authorizationServerMetadata,
+			request: {
+				auth_session: options.authSession,
+				openid4vp_response: options.openid4vpResponse
+			},
+			dpop: options.dpop
+		});
+		if (interactiveAuthorizationResponse.status !== "ok") throw new Openid4vciError(`Interactive authorization did not return status 'ok'. Received status '${interactiveAuthorizationResponse.status}'.`);
+		return {
+			authorizationCode: interactiveAuthorizationResponse.code,
+			dpop
+		};
+	}
+	/**
+	* Initiates authorization for credential issuance. It handles the following cases (in order):
+	* - Interactive Authorization Endpoint (OpenID4VCI 1.1) - preferred method
+	* - Authorization Challenge (OAuth 2.0 First-Party Applications) - fallback
 	* - Pushed Authorization Request
 	* - Regular Authorization url
 	*
-	* In case the authorization challenge request returns an error with `insufficient_authorization`
-	* with a `presentation` field it means the authorization server expects presentation of credentials
-	* before issuance of credentials. If this is the case, the value in `presentation` should be treated
-	* as an openid4vp authorization request and submitted to the verifier. Once the presentation response
-	* has been submitted, the RP will respond with a `presentation_during_issuance_session` parameter.
-	* Together with the `auth_session` parameter returned in this call you can retrieve an `authorization_code`
-	* using
+	* The Interactive Authorization Endpoint can return:
+	* - `status: 'require_interaction'` with type 'openid4vp_presentation' (requires OpenID4VP presentation)
+	* - `status: 'require_interaction'` with type 'redirect_to_web' (requires browser redirect)
+	*
+	* For Authorization Challenge (legacy), an error with `insufficient_authorization` and `presentation`
+	* field means the AS expects presentation of credentials before issuance. The value in `presentation`
+	* should be treated as an OpenID4VP authorization request. Once submitted, the RP will respond with
+	* a `presentation_during_issuance_session` parameter. Together with the `auth_session` you can
+	* retrieve an authorization code using {@link retrieveAuthorizationCodeUsingPresentation}.
 	*/
 	async initiateAuthorization(options) {
 		if (!options.credentialOffer.grants?.[authorizationCodeGrantIdentifier]) throw new Oauth2Error(`Provided credential offer does not include the 'authorization_code' grant.`);
@@ -1727,6 +2213,53 @@ var Openid4vciClient = class {
 		const authorizationServerMetadata = getAuthorizationServerMetadataFromList(options.issuerMetadata.authorizationServers, authorizationServer);
 		const oauth2Client = new Oauth2Client({ callbacks: this.options.callbacks });
 		try {
+			if (authorizationServerMetadata.interactive_authorization_endpoint) {
+				const pkce = authorizationServerMetadata.code_challenge_methods_supported ? await createPkce({
+					allowedCodeChallengeMethods: authorizationServerMetadata.code_challenge_methods_supported,
+					callbacks: this.options.callbacks,
+					codeVerifier: options.pkceCodeVerifier
+				}) : void 0;
+				const result = await this.sendInteractiveAuthorizationRequest({
+					authorizationServerMetadata,
+					request: {
+						response_type: "code",
+						client_id: options.clientId,
+						interaction_types_supported: ["redirect_to_web", "openid4vp_presentation"].join(","),
+						scope: options.scope,
+						redirect_uri: options.redirectUri,
+						resource: options.resource,
+						state: options.state,
+						code_challenge: pkce?.codeChallenge,
+						code_challenge_method: pkce?.codeChallengeMethod,
+						...options.additionalRequestPayload
+					},
+					dpop: options.dpop
+				});
+				const response = result.interactiveAuthorizationResponse;
+				if (response.status === "ok") throw new Oauth2Error("Received a successful authorization code response from interactive authorization endpoint without authorization");
+				if (response.status === "require_interaction") {
+					if (response.type === "redirect_to_web") {
+						const authorizationRequestUrl = `${authorizationServerMetadata.authorization_endpoint}?${objectToQueryParams({
+							request_uri: response.request_uri,
+							client_id: options.clientId
+						}).toString()}`;
+						return {
+							authorizationFlow: AuthorizationFlow.Oauth2Redirect,
+							authorizationServer,
+							dpop: result.dpop,
+							authorizationRequestUrl,
+							pkce
+						};
+					}
+					if (response.type === "openid4vp_presentation") return {
+						authorizationFlow: AuthorizationFlow.InteractiveAuthorizationOpenid4vp,
+						authorizationServer,
+						dpop: result.dpop,
+						openid4vpRequest: response.openid4vp_request,
+						authSession: response.auth_session
+					};
+				}
+			}
 			return {
 				...await oauth2Client.initiateAuthorization({
 					clientId: options.clientId,
@@ -1951,6 +2484,21 @@ var Openid4vciClient = class {
 		if (!notificationResponse.ok) throw new Openid4vciSendNotificationError(`Error sending notification to '${issuerMetadata.credentialIssuer.credential_issuer}'`, notificationResponse);
 		return notificationResponse;
 	}
+	/**
+	* Send an Interactive Authorization Request
+	*
+	* This method sends a request to the Interactive Authorization Endpoint.
+	* Supports both initial requests and follow-up requests.
+	*
+	* @param options - Request options
+	* @returns The interactive authorization response and updated DPoP config
+	*/
+	async sendInteractiveAuthorizationRequest(options) {
+		return sendInteractiveAuthorizationRequest({
+			...options,
+			callbacks: this.options.callbacks
+		});
+	}
 };
 
 //#endregion
@@ -2015,7 +2563,7 @@ function parseCredentialRequest(options) {
 	let proofs;
 	const knownProofs = zCredentialRequestProofs.strict().safeParse(credentialRequest.proofs);
 	if (knownProofs.success) proofs = knownProofs.data;
-	const knownProof = z.union(allCredentialRequestProofs).safeParse(credentialRequest.proof);
+	const knownProof = z$1.union(allCredentialRequestProofs).safeParse(credentialRequest.proof);
 	if (knownProof.success && knownProof.data.proof_type === jwtProofTypeIdentifier) proofs = { [jwtProofTypeIdentifier]: [knownProof.data.jwt] };
 	else if (knownProof.success && knownProof.data.proof_type === attestationProofTypeIdentifier) proofs = { [attestationProofTypeIdentifier]: [knownProof.data.attestation] };
 	const credentialResponseEncryption = credentialRequest.credential_response_encryption;
@@ -2036,7 +2584,7 @@ function parseCredentialRequest(options) {
 		credentialResponseEncryption
 	};
 	if (credentialRequest.format && allCredentialRequestFormatIdentifiers.includes(credentialRequest.format)) return {
-		format: parseWithErrorHandling(z.union(allCredentialRequestFormats), credentialRequest, "Unable to validate format specific properties from credential request"),
+		format: parseWithErrorHandling(z$1.union(allCredentialRequestFormats), credentialRequest, "Unable to validate format specific properties from credential request"),
 		credentialRequest,
 		proofs,
 		credentialResponseEncryption
@@ -2233,6 +2781,71 @@ var Openid4vciIssuer = class {
 	async verifyWalletAttestation(options) {
 		return new Oauth2AuthorizationServer({ callbacks: this.options.callbacks }).verifyClientAttestation(options);
 	}
+	/**
+	* Parse an Interactive Authorization Request
+	*
+	* This method parses and validates an Interactive Authorization Endpoint request.
+	* It automatically detects whether this is an initial request, a follow-up request,
+	* or a JAR (JWT-secured) request based on the parameters present.
+	*/
+	async parseInteractiveAuthorizationRequest(options) {
+		return parseInteractiveAuthorizationRequest({
+			callbacks: this.options.callbacks,
+			...options
+		});
+	}
+	/**
+	* Verify an initial (possibly signed) Interactive Authorization Request
+	*
+	* This method verifies the interactive authorization request including:
+	* - JAR (JWT-secured Authorization Request) signature verification (if present)
+	* - Client attestation (if present)
+	* - DPoP binding (if present)
+	* - Authorization request parameters
+	*/
+	async verifyInteractiveAuthorizationInitialRequest(options) {
+		return verifyInteractiveAuthorizationInitialRequest({
+			callbacks: this.options.callbacks,
+			...options
+		});
+	}
+	/**
+	* Create a successful Interactive Authorization Code Response
+	*
+	* This response indicates that the authorization process is complete
+	* and returns an authorization code that can be exchanged for an access token.
+	*/
+	createInteractiveAuthorizationCodeResponse(options) {
+		return createInteractiveAuthorizationCodeResponse(options);
+	}
+	/**
+	* Create an Interactive Authorization Interaction Required Response
+	* requesting an OpenID4VP presentation
+	*
+	* This response indicates that the wallet must present credentials
+	* via OpenID4VP before authorization can be granted.
+	*/
+	createInteractiveAuthorizationOpenid4vpInteraction(options) {
+		return createInteractiveAuthorizationOpenid4vpInteraction(options);
+	}
+	/**
+	* Create an Interactive Authorization Interaction Required Response
+	* requesting a redirect to web
+	*
+	* This response indicates that the authorization process must continue
+	* via interactions with the user in a web browser.
+	*/
+	createInteractiveAuthorizationRedirectToWebInteraction(options) {
+		return createInteractiveAuthorizationRedirectToWebInteraction(options);
+	}
+	/**
+	* Create an Interactive Authorization Error Response
+	*
+	* This response indicates that an error occurred during the authorization process.
+	*/
+	createInteractiveAuthorizationErrorResponse(options) {
+		return createInteractiveAuthorizationErrorResponse(options);
+	}
 };
 
 //#endregion
@@ -2265,5 +2878,5 @@ var Openid4vciWalletProvider = class {
 };
 
 //#endregion
-export { AuthorizationFlow, Openid4vciClient, Openid4vciDraftVersion, Openid4vciError, Openid4vciIssuer, Openid4vciRetrieveCredentialsError, Openid4vciSendNotificationError, Openid4vciVersion, Openid4vciWalletProvider, createKeyAttestationJwt, credentialsSupportedToCredentialConfigurationsSupported, determineAuthorizationServerForCredentialOffer, extractScopesForCredentialConfigurationIds, getCredentialConfigurationsMatchingRequestFormat, getGlobalConfig, parseKeyAttestationJwt, setGlobalConfig, verifyKeyAttestationJwt };
+export { AuthorizationFlow, InteractiveAuthorizationRequestType, Openid4vciClient, Openid4vciClientInteractiveAuthorizationError, Openid4vciDraftVersion, Openid4vciError, Openid4vciIssuer, Openid4vciRetrieveCredentialsError, Openid4vciSendNotificationError, Openid4vciVersion, Openid4vciWalletProvider, createInteractiveAuthorizationCodeResponse, createInteractiveAuthorizationErrorResponse, createInteractiveAuthorizationOpenid4vpInteraction, createInteractiveAuthorizationRedirectToWebInteraction, createKeyAttestationJwt, credentialsSupportedToCredentialConfigurationsSupported, determineAuthorizationServerForCredentialOffer, extractScopesForCredentialConfigurationIds, getCredentialConfigurationsMatchingRequestFormat, getGlobalConfig, parseInteractiveAuthorizationRequest, parseKeyAttestationJwt, sendInteractiveAuthorizationRequest, setGlobalConfig, verifyInteractiveAuthorizationInitialRequest, verifyKeyAttestationJwt };
 //# sourceMappingURL=index.mjs.map