@openid4vc/openid4vp 0.3.0-alpha-20250225204254 → 0.3.0-alpha-20250303091928

package/dist/index.js

@@ -393,9 +393,19 @@ var zOpenid4vpAuthorizationRequest = import_zod7.z.object({
   presentation_definition_uri: import_utils5.zHttpsUrl.optional(),
   dcql_query: import_zod7.z.record(import_zod7.z.any()).optional(),
   client_metadata: zClientMetadata.optional(),
+  client_metadata_uri: import_utils5.zHttpsUrl.optional(),
   state: import_zod7.z.string().optional(),
   transaction_data: import_zod7.z.array(import_zod7.z.string()).optional(),
-  trust_chain: import_zod7.z.unknown().optional()
+  trust_chain: import_zod7.z.unknown().optional(),
+  client_id_scheme: import_zod7.z.enum([
+    "pre-registered",
+    "redirect_uri",
+    "entity_id",
+    "did",
+    "verifier_attestation",
+    "x509_san_dns",
+    "x509_san_uri"
+  ]).optional()
 }).passthrough();
 
 // src/authorization-request/z-authorization-request-dc-api.ts
@@ -412,21 +422,30 @@ var zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest.pick({
 }).extend({
   client_id: import_zod8.z.optional(import_zod8.z.string()),
   expected_origins: import_zod8.z.array(import_zod8.z.string()).optional(),
-  response_mode: import_zod8.z.enum(["dc_api", "dc_api.jwt"])
+  response_mode: import_zod8.z.enum(["dc_api", "dc_api.jwt", "w3c_dc_api.jwt", "w3c_dc_api"]),
+  client_id_scheme: import_zod8.z.enum([
+    "pre-registered",
+    "redirect_uri",
+    "entity_id",
+    "did",
+    "verifier_attestation",
+    "x509_san_dns",
+    "x509_san_uri"
+  ]).optional()
 }).strip();
 function isOpenid4vpAuthorizationRequestDcApi(request) {
-  return request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt";
+  return request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt" || request.response_mode === "w3c_dc_api.jwt" || request.response_mode === "w3c_dc_api";
 }
 
 // src/authorization-request/create-authorization-request.ts
 async function createOpenid4vpAuthorizationRequest(options) {
-  const { jar, scheme = "openid4vp://", requestParams, wallet, callbacks } = options;
+  const { jar, scheme = "openid4vp://", requestPayload, wallet, callbacks } = options;
   let additionalJwtPayload;
   let authRequestParams;
-  if (isOpenid4vpAuthorizationRequestDcApi(requestParams)) {
+  if (isOpenid4vpAuthorizationRequestDcApi(requestPayload)) {
     authRequestParams = (0, import_utils6.parseWithErrorHandling)(
       zOpenid4vpAuthorizationRequestDcApi,
-      requestParams,
+      requestPayload,
       "Invalid authorization request. Could not parse openid4vp dc_api authorization request."
     );
     if (jar && !authRequestParams.expected_origins) {
@@ -442,7 +461,7 @@ async function createOpenid4vpAuthorizationRequest(options) {
   } else {
     authRequestParams = (0, import_utils6.parseWithErrorHandling)(
       zOpenid4vpAuthorizationRequest,
-      requestParams,
+      requestPayload,
       "Invalid authorization request. Could not parse openid4vp authorization request."
     );
     validateOpenid4vpAuthorizationRequestPayload({ params: authRequestParams, walletVerificationOptions: wallet });
@@ -455,7 +474,7 @@ async function createOpenid4vpAuthorizationRequest(options) {
   if (jar) {
     const jarResult = await createJarAuthRequest({
       ...jar,
-      authRequestParams: requestParams,
+      authRequestParams: requestPayload,
       additionalJwtPayload,
       callbacks
     });
@@ -473,10 +492,10 @@ async function createOpenid4vpAuthorizationRequest(options) {
   const url = new import_utils6.URL(scheme);
   url.search = `?${new import_utils6.URLSearchParams([
     ...url.searchParams.entries(),
-    ...(0, import_utils6.objectToQueryParams)(requestParams).entries()
+    ...(0, import_utils6.objectToQueryParams)(requestPayload).entries()
   ]).toString()}`;
   return {
-    authRequestObject: requestParams,
+    authRequestObject: requestPayload,
     authRequest: url.toString(),
     jar: void 0
   };
@@ -562,17 +581,82 @@ function parseOpenid4vpAuthorizationRequestPayload(options) {
 }
 
 // src/authorization-request/resolve-authorization-request.ts
-var import_oauth217 = require("@openid4vc/oauth2");
-var import_utils12 = require("@openid4vc/utils");
-var import_zod14 = __toESM(require("zod"));
+var import_oauth219 = require("@openid4vc/oauth2");
+var import_utils13 = require("@openid4vc/utils");
+var import_zod15 = __toESM(require("zod"));
 
 // src/client-identifier-scheme/parse-client-identifier-scheme.ts
+var import_oauth213 = require("@openid4vc/oauth2");
+
+// src/version.ts
 var import_oauth212 = require("@openid4vc/oauth2");
+function parseAuthorizationRequestVersion(request) {
+  const requirements = [];
+  const vp_formats = request.client_metadata?.vp_formats;
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
+    requirements.push(["<", 23]);
+    requirements.push([">=", 21]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt") {
+    requirements.push([">=", 23]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
+    requirements.push([">=", 23]);
+  }
+  if (request.dcql_query) {
+    requirements.push([">=", 22]);
+  }
+  if (request.transaction_data) {
+    requirements.push([">=", 22]);
+  }
+  if (request.client_id_scheme) {
+    requirements.push(["<", 22]);
+  }
+  if (request.client_id) {
+    const colonIndex = request.client_id.indexOf(":");
+    const schemePart = request.client_id.substring(0, colonIndex);
+    const parsedScheme = zClientIdScheme.safeParse(schemePart);
+    if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") {
+      requirements.push([">=", 22]);
+    }
+  }
+  if (!request.client_id) {
+    requirements.push([">=", 21]);
+  }
+  if ("client_metadata_uri" in request) {
+    requirements.push(["<", 21]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request)) {
+    requirements.push([">=", 21]);
+  }
+  if ("request_uri_method" in request || "wallet_nonce" in request) {
+    requirements.push([">=", 21]);
+  }
+  if (request.client_id_scheme === "verifier_attestation") {
+    requirements.push([">=", 20]);
+  }
+  if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") {
+    requirements.push([">=", 19]);
+  }
+  const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
+  const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
+  const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 24;
+  const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
+  if (lowestRequiredVersion > highestPossibleVersion) {
+    throw new import_oauth212.Oauth2ServerErrorResponseError({
+      error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+      error_description: "Could not infer openid4vp version from the openid4vp request payload."
+    });
+  }
+  return highestPossibleVersion;
+}
+
+// src/client-identifier-scheme/parse-client-identifier-scheme.ts
 function getClientId(options) {
   if (isOpenid4vpAuthorizationRequestDcApi(options.request)) {
     if (!options.origin) {
-      throw new import_oauth212.Oauth2ServerErrorResponseError({
-        error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth213.Oauth2ServerErrorResponseError({
+        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
         error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
       });
     }
@@ -581,10 +665,48 @@ function getClientId(options) {
   }
   return options.request.client_id;
 }
+function getLegacyClientId(options) {
+  const legacyClientIdScheme = options.request.client_id_scheme ?? "pre-registered";
+  let clientIdScheme;
+  if (legacyClientIdScheme === "entity_id") {
+    clientIdScheme = "https";
+  } else {
+    clientIdScheme = legacyClientIdScheme;
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(options.request)) {
+    if (!options.origin) {
+      throw new import_oauth213.Oauth2ServerErrorResponseError({
+        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
+        error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
+      });
+    }
+    if (!options.jar || !options.request.client_id) return `web-origin:${options.origin}`;
+    return `${clientIdScheme}:${options.request.client_id}`;
+  }
+  if (clientIdScheme === "https" || clientIdScheme === "did") {
+    return options.request.client_id;
+  }
+  if (clientIdScheme === "pre-registered") {
+    return options.request.client_id;
+  }
+  return `${clientIdScheme}:${options.request.client_id}`;
+}
 function parseClientIdentifier(options, parserConfig) {
   const { request, jar } = options;
+  const version = parseAuthorizationRequestVersion(request);
+  if (version < 22) {
+    const legacyClientIdScheme = request.client_id_scheme ?? "pre-registered";
+    let clientIdSchem;
+    if (legacyClientIdScheme) {
+      if (legacyClientIdScheme === "entity_id") {
+        clientIdSchem = "https";
+      } else {
+        clientIdSchem = legacyClientIdScheme;
+      }
+    }
+  }
   const isDcApiRequest = isOpenid4vpAuthorizationRequestDcApi(request);
-  const clientId = getClientId(options);
+  const clientId = version < 22 ? getLegacyClientId(options) : getClientId(options);
   const parserConfigWithDefaults = {
     supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdScheme.options)
   };
@@ -600,22 +722,22 @@ function parseClientIdentifier(options, parserConfig) {
   const schemePart = clientId.substring(0, colonIndex);
   const identifierPart = clientId.substring(colonIndex + 1);
   if (!parserConfigWithDefaults.supportedSchemes.includes(schemePart)) {
-    throw new import_oauth212.Oauth2ServerErrorResponseError({
-      error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+    throw new import_oauth213.Oauth2ServerErrorResponseError({
+      error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
       error_description: `Unsupported client identifier scheme. ${schemePart} is not supported.`
     });
   }
   const scheme = schemePart;
   if (scheme === "https") {
     if (isDcApiRequest) {
-      throw new import_oauth212.Oauth2ServerErrorResponseError({
-        error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth213.Oauth2ServerErrorResponseError({
+        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
         error_description: `The client identifier scheme 'https' is not supported when using the dc_api response mode.`
       });
     }
-    if (!clientId.startsWith("https://") && !((0, import_oauth212.getGlobalConfig)().allowInsecureUrls && clientId.startsWith("http://"))) {
-      throw new import_oauth212.Oauth2ServerErrorResponseError({
-        error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+    if (!clientId.startsWith("https://") && !((0, import_oauth213.getGlobalConfig)().allowInsecureUrls && clientId.startsWith("http://"))) {
+      throw new import_oauth213.Oauth2ServerErrorResponseError({
+        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
         error_description: "Invalid client identifier. Client identifier must start with https:// or http:// if allowInsecureUrls is true."
       });
     }
@@ -628,14 +750,14 @@ function parseClientIdentifier(options, parserConfig) {
   }
   if (scheme === "redirect_uri") {
     if (jar) {
-      throw new import_oauth212.Oauth2ServerErrorResponseError({
-        error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth213.Oauth2ServerErrorResponseError({
+        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
         error_description: 'Using client identifier scheme "redirect_uri" the request MUST NOT be signed.'
       });
     }
     if (isOpenid4vpAuthorizationRequestDcApi(request)) {
-      throw new import_oauth212.Oauth2ServerErrorResponseError({
-        error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth213.Oauth2ServerErrorResponseError({
+        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
         error_description: `The client identifier scheme 'redirect_uri' is not supported when using the dc_api response mode.`
       });
     }
@@ -648,26 +770,26 @@ function parseClientIdentifier(options, parserConfig) {
   }
   if (scheme === "did") {
     if (!jar) {
-      throw new import_oauth212.Oauth2ServerErrorResponseError({
-        error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth213.Oauth2ServerErrorResponseError({
+        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
         error_description: 'Using client identifier scheme "did" requires a signed JAR request.'
       });
     }
     if (!clientId.startsWith("did:")) {
-      throw new import_oauth212.Oauth2ServerErrorResponseError({
-        error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth213.Oauth2ServerErrorResponseError({
+        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
         error_description: "Invalid client identifier. Client identifier must start with 'did:'"
       });
     }
     if (!jar.signer.publicJwk.kid) {
-      throw new import_oauth212.Oauth2ServerErrorResponseError({
-        error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth213.Oauth2ServerErrorResponseError({
+        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
         error_description: `Missing required 'kid' for client identifier scheme: did`
       });
     }
     if (!jar.signer.publicJwk.kid?.startsWith(clientId)) {
-      throw new import_oauth212.Oauth2ServerErrorResponseError({
-        error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth213.Oauth2ServerErrorResponseError({
+        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
         error_description: 'With client identifier scheme "did" the JAR request must be signed by the same DID as the client identifier.'
       });
     }
@@ -680,22 +802,22 @@ function parseClientIdentifier(options, parserConfig) {
   }
   if (scheme === "x509_san_dns" || scheme === "x509_san_uri") {
     if (!jar) {
-      throw new import_oauth212.Oauth2ServerErrorResponseError({
-        error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth213.Oauth2ServerErrorResponseError({
+        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
         error_description: 'Using client identifier scheme "x509_san_dns" or "x509_san_uri" requires a signed JAR request.'
       });
     }
     if (jar.signer.method !== "x5c") {
-      throw new import_oauth212.Oauth2ServerErrorResponseError({
-        error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth213.Oauth2ServerErrorResponseError({
+        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
         error_description: "Something went wrong. The JWT signer method is not x5c but the client identifier scheme is x509_san_dns."
       });
     }
     if (scheme === "x509_san_dns") {
       if (!options.callbacks.getX509CertificateMetadata) {
-        throw new import_oauth212.Oauth2ServerErrorResponseError(
+        throw new import_oauth213.Oauth2ServerErrorResponseError(
           {
-            error: import_oauth212.Oauth2ErrorCodes.ServerError
+            error: import_oauth213.Oauth2ErrorCodes.ServerError
           },
           {
             internalMessage: "Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_dns' client id scheme"
@@ -704,25 +826,25 @@ function parseClientIdentifier(options, parserConfig) {
       }
       const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
       if (!sanDnsNames.includes(identifierPart)) {
-        throw new import_oauth212.Oauth2ServerErrorResponseError({
-          error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
-          error_description: "Invalid client identifier. Client identifier must be a valid DNS name."
+        throw new import_oauth213.Oauth2ServerErrorResponseError({
+          error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
+          error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(", ")}] must match the client identifier '${identifierPart}'. `
         });
       }
       if (!isOpenid4vpAuthorizationRequestDcApi(request)) {
         const uri = request.redirect_uri ?? request.response_uri;
         if (!uri || getDomainFromUrl(uri) !== identifierPart) {
-          throw new import_oauth212.Oauth2ServerErrorResponseError({
-            error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+          throw new import_oauth213.Oauth2ServerErrorResponseError({
+            error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
             error_description: "Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns."
           });
         }
       }
     } else if (scheme === "x509_san_uri") {
       if (!options.callbacks.getX509CertificateMetadata) {
-        throw new import_oauth212.Oauth2ServerErrorResponseError(
+        throw new import_oauth213.Oauth2ServerErrorResponseError(
           {
-            error: import_oauth212.Oauth2ErrorCodes.ServerError
+            error: import_oauth213.Oauth2ErrorCodes.ServerError
           },
           {
             internalMessage: "Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_uri' client id scheme"
@@ -731,16 +853,16 @@ function parseClientIdentifier(options, parserConfig) {
       }
       const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
       if (!sanUriNames.includes(identifierPart)) {
-        throw new import_oauth212.Oauth2ServerErrorResponseError({
-          error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
-          error_description: "Invalid client identifier. Client identifier must be a valid URI."
+        throw new import_oauth213.Oauth2ServerErrorResponseError({
+          error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
+          error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(", ")}] must match the client identifier '${identifierPart}'.`
         });
       }
       if (!isOpenid4vpAuthorizationRequestDcApi(request)) {
         const uri = request.redirect_uri || request.response_uri;
         if (!uri || uri !== identifierPart) {
-          throw new import_oauth212.Oauth2ServerErrorResponseError({
-            error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+          throw new import_oauth213.Oauth2ServerErrorResponseError({
+            error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
             error_description: "The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri"
           });
         }
@@ -763,8 +885,8 @@ function parseClientIdentifier(options, parserConfig) {
   }
   if (scheme === "verifier_attestation") {
     if (!jar) {
-      throw new import_oauth212.Oauth2ServerErrorResponseError({
-        error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth213.Oauth2ServerErrorResponseError({
+        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
         error_description: 'Using client identifier scheme "verifier_attestation" requires a signed JAR request.'
       });
     }
@@ -781,57 +903,97 @@ function getDomainFromUrl(url) {
     const domain = url.split("://")[1].split(regex)[0];
     return domain;
   } catch (error) {
-    throw new import_oauth212.Oauth2ServerErrorResponseError({
-      error: import_oauth212.Oauth2ErrorCodes.ServerError,
+    throw new import_oauth213.Oauth2ServerErrorResponseError({
+      error: import_oauth213.Oauth2ErrorCodes.ServerError,
       error_description: `Url '${url}' is not a valid URL`
     });
   }
 }
 
+// src/fetch-client-metadata.ts
+var import_oauth214 = require("@openid4vc/oauth2");
+var import_utils10 = require("@openid4vc/utils");
+
+// src/models/z-wallet-metadata.ts
+var import_zod11 = require("zod");
+var zWalletMetadata = import_zod11.z.object({
+  presentation_definition_uri_supported: import_zod11.z.optional(import_zod11.z.boolean()),
+  vp_formats_supported: zVpFormatsSupported,
+  client_id_schemes_supported: import_zod11.z.optional(import_zod11.z.array(zClientIdScheme)),
+  request_object_signing_alg_values_supported: import_zod11.z.optional(import_zod11.z.array(import_zod11.z.string())),
+  authorization_encryption_alg_values_supported: import_zod11.z.optional(import_zod11.z.array(import_zod11.z.string())),
+  authorization_encryption_enc_values_supported: import_zod11.z.optional(import_zod11.z.array(import_zod11.z.string()))
+});
+
+// src/fetch-client-metadata.ts
+async function fetchClientMetadata(options) {
+  const { fetch, clientMetadataUri } = options;
+  const fetcher = (0, import_utils10.createZodFetcher)(fetch);
+  const { result, response } = await fetcher(zWalletMetadata, import_utils10.ContentType.Json, clientMetadataUri, {
+    method: "GET",
+    headers: {
+      Accept: import_utils10.ContentType.Json
+    }
+  });
+  if (!response.ok) {
+    throw new import_oauth214.Oauth2ServerErrorResponseError({
+      error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,
+      error: import_oauth214.Oauth2ErrorCodes.InvalidRequestUri
+    });
+  }
+  if (!result || !result.success) {
+    throw new import_oauth214.Oauth2ServerErrorResponseError({
+      error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,
+      error: import_oauth214.Oauth2ErrorCodes.InvalidRequestObject
+    });
+  }
+  return result.data;
+}
+
 // src/jar/handle-jar-request/verify-jar-request.ts
-var import_oauth215 = require("@openid4vc/oauth2");
+var import_oauth217 = require("@openid4vc/oauth2");
 
 // src/jar/jar-request-object/fetch-jar-request-object.ts
-var import_oauth213 = require("@openid4vc/oauth2");
-var import_utils10 = require("@openid4vc/utils");
-var import_zod11 = require("zod");
+var import_oauth215 = require("@openid4vc/oauth2");
+var import_utils11 = require("@openid4vc/utils");
+var import_zod12 = require("zod");
 async function fetchJarRequestObject(options) {
   const { requestUri, clientIdentifierScheme, method, wallet, fetch } = options;
-  const fetcher = (0, import_utils10.createZodFetcher)(fetch);
+  const fetcher = (0, import_utils11.createZodFetcher)(fetch);
   let requestBody = wallet.metadata ? { wallet_metadata: wallet.metadata, wallet_nonce: wallet.nonce } : void 0;
   if (requestBody?.wallet_metadata?.request_object_signing_alg_values_supported && clientIdentifierScheme === "redirect_uri") {
     const { request_object_signing_alg_values_supported, ...rest } = requestBody.wallet_metadata;
     requestBody = { ...requestBody, wallet_metadata: { ...rest } };
   }
-  const { result, response } = await fetcher(import_zod11.z.string(), import_utils10.ContentType.OAuthRequestObjectJwt, requestUri, {
+  const { result, response } = await fetcher(import_zod12.z.string(), import_utils11.ContentType.OAuthRequestObjectJwt, requestUri, {
     method,
     headers: {
-      Accept: `${import_utils10.ContentType.OAuthRequestObjectJwt}, ${import_utils10.ContentType.Jwt};q=0.9`,
-      "Content-Type": import_utils10.ContentType.XWwwFormUrlencoded
+      Accept: `${import_utils11.ContentType.OAuthRequestObjectJwt}, ${import_utils11.ContentType.Jwt};q=0.9`,
+      "Content-Type": import_utils11.ContentType.XWwwFormUrlencoded
     },
-    body: method === "POST" ? (0, import_utils10.objectToQueryParams)(wallet.metadata ?? {}) : void 0
+    body: method === "POST" ? (0, import_utils11.objectToQueryParams)(wallet.metadata ?? {}) : void 0
   });
   if (!response.ok) {
-    throw new import_oauth213.Oauth2ServerErrorResponseError({
+    throw new import_oauth215.Oauth2ServerErrorResponseError({
       error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,
-      error: import_oauth213.Oauth2ErrorCodes.InvalidRequestUri
+      error: import_oauth215.Oauth2ErrorCodes.InvalidRequestUri
     });
   }
   if (!result || !result.success) {
-    throw new import_oauth213.Oauth2ServerErrorResponseError({
+    throw new import_oauth215.Oauth2ServerErrorResponseError({
       error_description: `Parsing request_object from request_uri '${requestUri}' failed.`,
-      error: import_oauth213.Oauth2ErrorCodes.InvalidRequestObject
+      error: import_oauth215.Oauth2ErrorCodes.InvalidRequestObject
     });
   }
   return result.data;
 }
 
 // src/jar/jar-request-object/z-jar-request-object.ts
-var import_oauth214 = require("@openid4vc/oauth2");
-var import_zod12 = require("zod");
-var zJarRequestObjectPayload = import_zod12.z.object({
-  ...import_oauth214.zJwtPayload.shape,
-  client_id: import_zod12.z.string()
+var import_oauth216 = require("@openid4vc/oauth2");
+var import_zod13 = require("zod");
+var zJarRequestObjectPayload = import_zod13.z.object({
+  ...import_oauth216.zJwtPayload.shape,
+  client_id: import_zod13.z.string()
 }).passthrough();
 
 // src/jar/handle-jar-request/verify-jar-request.ts
@@ -842,8 +1004,8 @@ async function verifyJarRequest(options) {
   const clientIdentifierScheme = jarRequestParams.client_id ? zClientIdScheme.parse(jarRequestParams.client_id.split(":")[0]) : "web-origin";
   const method = jarRequestParams.request_uri_method ?? "GET";
   if (method !== "GET" && method !== "POST") {
-    throw new import_oauth215.Oauth2ServerErrorResponseError({
-      error: import_oauth215.Oauth2ErrorCodes.InvalidRequestUriMethod,
+    throw new import_oauth217.Oauth2ServerErrorResponseError({
+      error: import_oauth217.Oauth2ErrorCodes.InvalidRequestUriMethod,
       error_description: "Invalid request_uri_method. Must be GET or POST."
     });
   }
@@ -853,12 +1015,12 @@ async function verifyJarRequest(options) {
     method,
     wallet
   });
-  const requestObjectIsEncrypted = import_oauth215.zCompactJwe.safeParse(requestObject).success;
+  const requestObjectIsEncrypted = import_oauth217.zCompactJwe.safeParse(requestObject).success;
   const { decryptionJwk, payload: decryptedRequestObject } = requestObjectIsEncrypted ? await decryptJarRequest({ jwe: requestObject, callbacks }) : { payload: requestObject, decryptionJwk: void 0 };
-  const requestIsSigned = import_oauth215.zCompactJwt.safeParse(decryptedRequestObject).success;
+  const requestIsSigned = import_oauth217.zCompactJwt.safeParse(decryptedRequestObject).success;
   if (!requestIsSigned) {
-    throw new import_oauth215.Oauth2ServerErrorResponseError({
-      error: import_oauth215.Oauth2ErrorCodes.InvalidRequestObject,
+    throw new import_oauth217.Oauth2ServerErrorResponseError({
+      error: import_oauth217.Oauth2ErrorCodes.InvalidRequestObject,
       error_description: "Jar Request Object is not a valid JWS."
     });
   }
@@ -867,14 +1029,14 @@ async function verifyJarRequest(options) {
     callbacks
   });
   if (!authRequestParams.client_id) {
-    throw new import_oauth215.Oauth2ServerErrorResponseError({
-      error: import_oauth215.Oauth2ErrorCodes.InvalidRequestObject,
+    throw new import_oauth217.Oauth2ServerErrorResponseError({
+      error: import_oauth217.Oauth2ErrorCodes.InvalidRequestObject,
       error_description: 'Jar Request Object is missing the required "client_id" field.'
     });
   }
   if (jarRequestParams.client_id !== authRequestParams.client_id) {
-    throw new import_oauth215.Oauth2ServerErrorResponseError({
-      error: import_oauth215.Oauth2ErrorCodes.InvalidRequest,
+    throw new import_oauth217.Oauth2ServerErrorResponseError({
+      error: import_oauth217.Oauth2ErrorCodes.InvalidRequest,
       error_description: "client_id does not match the request object client_id."
     });
   }
@@ -887,16 +1049,16 @@ async function verifyJarRequest(options) {
 }
 async function decryptJarRequest(options) {
   const { jwe, callbacks } = options;
-  const { header } = (0, import_oauth215.decodeJwt)({ jwt: jwe });
+  const { header } = (0, import_oauth217.decodeJwt)({ jwt: jwe });
   if (!header.kid) {
-    throw new import_oauth215.Oauth2ServerErrorResponseError({
-      error: import_oauth215.Oauth2ErrorCodes.InvalidRequestObject,
+    throw new import_oauth217.Oauth2ServerErrorResponseError({
+      error: import_oauth217.Oauth2ErrorCodes.InvalidRequestObject,
       error_description: 'Jar JWE is missing the protected header field "kid".'
     });
   }
   const decryptionResult = await callbacks.decryptJwe(jwe);
   if (!decryptionResult.decrypted) {
-    throw new import_oauth215.Oauth2ServerErrorResponseError({
+    throw new import_oauth217.Oauth2ServerErrorResponseError({
       error: "invalid_request_object",
       error_description: "Failed to decrypt jar request object."
     });
@@ -905,39 +1067,46 @@ async function decryptJarRequest(options) {
 }
 async function verifyJarRequestObject(options) {
   const { decryptedRequestObject, callbacks } = options;
-  const jwt = (0, import_oauth215.decodeJwt)({ jwt: decryptedRequestObject, payloadSchema: zJarRequestObjectPayload });
-  const jwtSigner = (0, import_oauth215.jwtSignerFromJwt)(jwt);
-  const { signer } = await (0, import_oauth215.verifyJwt)({
+  const jwt = (0, import_oauth217.decodeJwt)({ jwt: decryptedRequestObject, payloadSchema: zJarRequestObjectPayload });
+  const jwtSigner = (0, import_oauth217.jwtSignerFromJwt)(jwt);
+  const { signer } = await (0, import_oauth217.verifyJwt)({
     verifyJwtCallback: callbacks.verifyJwt,
     compact: decryptedRequestObject,
     header: jwt.header,
     payload: jwt.payload,
     signer: jwtSigner
   });
+  const version = parseAuthorizationRequestVersion(jwt.payload);
+  if (jwt.header.typ !== "oauth-authz-req+jwt" && version >= 24) {
+    throw new import_oauth217.Oauth2ServerErrorResponseError({
+      error: import_oauth217.Oauth2ErrorCodes.InvalidRequestObject,
+      error_description: `Invalid Jar Request Object typ header. Expected "oauth-authz-req+jwt", received "${jwt.header.typ}".`
+    });
+  }
   return { authRequestParams: jwt.payload, signer };
 }
 
 // src/transaction-data/parse-transaction-data.ts
-var import_oauth216 = require("@openid4vc/oauth2");
-var import_utils11 = require("@openid4vc/utils");
+var import_oauth218 = require("@openid4vc/oauth2");
+var import_utils12 = require("@openid4vc/utils");
 
 // src/transaction-data/z-transaction-data.ts
-var import_zod13 = require("zod");
-var zTransactionEntry = import_zod13.z.object({
-  type: import_zod13.z.string(),
-  credential_ids: import_zod13.z.array(import_zod13.z.string()).min(1),
-  transaction_data_hashes_alg: import_zod13.z.array(import_zod13.z.string()).optional()
+var import_zod14 = require("zod");
+var zTransactionEntry = import_zod14.z.object({
+  type: import_zod14.z.string(),
+  credential_ids: import_zod14.z.array(import_zod14.z.string()).min(1),
+  transaction_data_hashes_alg: import_zod14.z.array(import_zod14.z.string()).optional()
 });
-var zTransactionData = import_zod13.z.array(zTransactionEntry);
+var zTransactionData = import_zod14.z.array(zTransactionEntry);
 
 // src/transaction-data/parse-transaction-data.ts
 function parseTransactionData(options) {
   const { transactionData } = options;
-  const decoded = transactionData.map((tdEntry) => (0, import_utils11.parseIfJson)((0, import_utils11.encodeToUtf8String)((0, import_utils11.decodeBase64)(tdEntry))));
+  const decoded = transactionData.map((tdEntry) => (0, import_utils12.parseIfJson)((0, import_utils12.encodeToUtf8String)((0, import_utils12.decodeBase64)(tdEntry))));
   const parsedResult = zTransactionData.safeParse(decoded);
   if (!parsedResult.success) {
-    throw new import_oauth216.Oauth2ServerErrorResponseError({
-      error: import_oauth216.Oauth2ErrorCodes.InvalidTransactionData,
+    throw new import_oauth218.Oauth2ServerErrorResponseError({
+      error: import_oauth218.Oauth2ErrorCodes.InvalidTransactionData,
       error_description: "Failed to parse transaction data."
     });
   }
@@ -946,18 +1115,18 @@ function parseTransactionData(options) {
 
 // src/authorization-request/resolve-authorization-request.ts
 async function resolveOpenid4vpAuthorizationRequest(options) {
-  const { request, wallet, callbacks, origin, omitOriginValidation } = options;
+  const { requestPayload, wallet, callbacks, origin, omitOriginValidation } = options;
   let authRequestPayload;
-  const parsed = (0, import_utils12.parseWithErrorHandling)(
-    import_zod14.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthRequest]),
-    request,
+  const parsed = (0, import_utils13.parseWithErrorHandling)(
+    import_zod15.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthRequest]),
+    requestPayload,
     "Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request."
   );
   let jar;
   if (isJarAuthRequest(parsed)) {
     jar = await verifyJarRequest({ jarRequestParams: parsed, callbacks, wallet });
-    const parsedJarAuthRequestPayload = (0, import_utils12.parseWithErrorHandling)(
-      import_zod14.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),
+    const parsedJarAuthRequestPayload = (0, import_utils13.parseWithErrorHandling)(
+      import_zod15.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),
       jar.authRequestParams,
       "Invalid authorization request. Could not parse jar request payload as openid4vp auth request."
     );
@@ -977,13 +1146,22 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
       omitOriginValidation
     });
   }
-  const clientMeta = parseClientIdentifier({ request: authRequestPayload, jar, callbacks, origin });
+  let clientMetadata;
+  if (!isOpenid4vpAuthorizationRequestDcApi(authRequestPayload) && authRequestPayload.client_metadata_uri) {
+    clientMetadata = await fetchClientMetadata({ clientMetadataUri: authRequestPayload.client_metadata_uri });
+  }
+  const clientMeta = parseClientIdentifier({
+    request: { ...authRequestPayload, client_metadata: clientMetadata ?? authRequestPayload.client_metadata },
+    jar,
+    callbacks,
+    origin
+  });
   let pex;
   let dcql;
   if (authRequestPayload.presentation_definition || authRequestPayload.presentation_definition_uri) {
     if (authRequestPayload.presentation_definition_uri) {
-      throw new import_oauth217.Oauth2ServerErrorResponseError({
-        error: import_oauth217.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth219.Oauth2ServerErrorResponseError({
+        error: import_oauth219.Oauth2ErrorCodes.InvalidRequest,
         error_description: "Cannot fetch presentation definition from URI. Not supported."
       });
     }
@@ -998,7 +1176,7 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
   const transactionData = authRequestPayload.transaction_data ? parseTransactionData({ transactionData: authRequestPayload.transaction_data }) : void 0;
   return {
     transactionData,
-    payload: authRequestPayload,
+    requestPayload: authRequestPayload,
     jar,
     client: { ...clientMeta },
     pex,
@@ -1021,8 +1199,8 @@ function validateOpenId4vpPayload(options) {
 }
 
 // src/authorization-response/create-authorization-response.ts
-var import_oauth220 = require("@openid4vc/oauth2");
-var import_utils13 = require("@openid4vc/utils");
+var import_oauth222 = require("@openid4vc/oauth2");
+var import_utils14 = require("@openid4vc/utils");
 
 // ../utils/src/date.ts
 function addSecondsToDate(date, seconds) {
@@ -1030,7 +1208,7 @@ function addSecondsToDate(date, seconds) {
 }
 
 // src/jarm/jarm-auth-response-create.ts
-var import_oauth218 = require("@openid4vc/oauth2");
+var import_oauth220 = require("@openid4vc/oauth2");
 async function createJarmAuthResponse(options) {
   const { jarmAuthResponse, jweEncryptor, jwtSigner, callbacks } = options;
   if (!jwtSigner && jweEncryptor) {
@@ -1039,16 +1217,16 @@ async function createJarmAuthResponse(options) {
   }
   if (jwtSigner && !jweEncryptor) {
     const signed2 = await callbacks.signJwt(jwtSigner, {
-      header: (0, import_oauth218.jwtHeaderFromJwtSigner)(jwtSigner),
+      header: (0, import_oauth220.jwtHeaderFromJwtSigner)(jwtSigner),
       payload: jarmAuthResponse
     });
     return { jarmAuthResponseJwt: signed2.jwt };
   }
   if (!jwtSigner || !jweEncryptor) {
-    throw new import_oauth218.Oauth2Error("JWT signer and/or encryptor are required to create a JARM auth response.");
+    throw new import_oauth220.Oauth2Error("JWT signer and/or encryptor are required to create a JARM auth response.");
   }
   const signed = await callbacks.signJwt(jwtSigner, {
-    header: (0, import_oauth218.jwtHeaderFromJwtSigner)(jwtSigner),
+    header: (0, import_oauth220.jwtHeaderFromJwtSigner)(jwtSigner),
     payload: jarmAuthResponse
   });
   const encrypted = await callbacks.encryptJwe(jweEncryptor, signed.jwt);
@@ -1060,13 +1238,15 @@ function extractJwksFromClientMetadata(clientMetadata) {
   const parsed = zJarmClientMetadataParsed.parse(clientMetadata);
   const encryptionAlg = parsed.client_metadata.authorization_encrypted_response_enc;
   const signingAlg = parsed.client_metadata.authorization_signed_response_alg;
-  const encJwk = clientMetadata.jwks.keys.find((key) => key.use === "enc" && key.alg === encryptionAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "enc");
-  const sigJwk = clientMetadata.jwks.keys.find((key) => key.use === "sig" && key.alg === signingAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "sig");
+  const encJwk = clientMetadata.jwks.keys.find((key) => key.use === "enc" && key.alg === encryptionAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "enc") ?? // fallback, take first key. HAIP does not specify requirement on enc
+  clientMetadata.jwks.keys?.[0];
+  const sigJwk = clientMetadata.jwks.keys.find((key) => key.use === "sig" && key.alg === signingAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "sig") ?? // falback, take first key
+  clientMetadata.jwks.keys?.[0];
   return { encJwk, sigJwk };
 }
 
 // src/jarm/jarm-response-mode.ts
-var import_zod15 = require("zod");
+var import_zod16 = require("zod");
 var jarmResponseMode = [
   "jwt",
   "query.jwt",
@@ -1075,18 +1255,18 @@ var jarmResponseMode = [
   "direct_post.jwt",
   "dc_api.jwt"
 ];
-var zJarmResponseMode = import_zod15.z.enum(jarmResponseMode);
+var zJarmResponseMode = import_zod16.z.enum(jarmResponseMode);
 var isJarmResponseMode = (responseMode) => {
   return jarmResponseMode.includes(responseMode);
 };
 
 // src/jarm/metadata/jarm-assert-metadata-supported.ts
-var import_oauth219 = require("@openid4vc/oauth2");
+var import_oauth221 = require("@openid4vc/oauth2");
 function assertValueSupported(options) {
   const { errorMessage, supported, actual } = options;
   const intersection = supported.find((value) => value === actual);
   if (!intersection) {
-    throw new import_oauth219.Oauth2Error(errorMessage);
+    throw new import_oauth221.Oauth2Error(errorMessage);
   }
   return intersection;
 }
@@ -1121,77 +1301,77 @@ function jarmAssertMetadataSupported(options) {
 
 // src/authorization-response/create-authorization-response.ts
 async function createOpenid4vpAuthorizationResponse(options) {
-  const { requestParams, responseParams, jarm, callbacks } = options;
-  const openid4vpAuthResponseParams = {
-    ...responseParams,
-    ..."state" in requestParams && { state: requestParams.state }
+  const { requestPayload, jarm, callbacks } = options;
+  const responsePayload = {
+    ...options.responsePayload,
+    ..."state" in requestPayload && { state: requestPayload.state }
   };
-  if (requestParams.response_mode && isJarmResponseMode(requestParams.response_mode) && !jarm) {
-    throw new import_oauth220.Oauth2Error(
-      `Missing jarm options for creating Jarm response with response mode '${requestParams.response_mode}'`
+  if (requestPayload.response_mode && isJarmResponseMode(requestPayload.response_mode) && !jarm) {
+    throw new import_oauth222.Oauth2Error(
+      `Missing jarm options for creating Jarm response with response mode '${requestPayload.response_mode}'`
     );
   }
   if (!jarm) {
     return {
-      responseParams: openid4vpAuthResponseParams
+      responsePayload
     };
   }
-  if (!requestParams.client_metadata) {
-    throw new import_oauth220.Oauth2Error("Missing client metadata in the request params to assert Jarm metadata support.");
+  if (!requestPayload.client_metadata) {
+    throw new import_oauth222.Oauth2Error("Missing client metadata in the request params to assert Jarm metadata support.");
   }
-  if (!requestParams.client_metadata.jwks) {
-    throw new import_oauth220.Oauth2ServerErrorResponseError({
-      error: import_oauth220.Oauth2ErrorCodes.InvalidRequest,
+  if (!requestPayload.client_metadata.jwks) {
+    throw new import_oauth222.Oauth2ServerErrorResponseError({
+      error: import_oauth222.Oauth2ErrorCodes.InvalidRequest,
       error_description: "Missing JWKS in client metadata. Cannot extract encryption JWK."
     });
   }
   const supportedJarmMetadata = jarmAssertMetadataSupported({
-    clientMetadata: requestParams.client_metadata,
+    clientMetadata: requestPayload.client_metadata,
     serverMetadata: jarm.serverMetadata
   });
   const clientMetaJwks = extractJwksFromClientMetadata({
-    ...requestParams.client_metadata,
-    jwks: requestParams.client_metadata.jwks
+    ...requestPayload.client_metadata,
+    jwks: requestPayload.client_metadata.jwks
   });
   if (!clientMetaJwks?.encJwk) {
-    throw new import_oauth220.Oauth2ServerErrorResponseError({
-      error: import_oauth220.Oauth2ErrorCodes.InvalidRequest,
+    throw new import_oauth222.Oauth2ServerErrorResponseError({
+      error: import_oauth222.Oauth2ErrorCodes.InvalidRequest,
       error_description: "Could not extract encryption JWK from client metadata. Failed to create JARM response."
     });
   }
   let additionalJwtPayload;
   if (jarm?.jwtSigner) {
     if (!jarm.authorizationServer) {
-      throw new import_oauth220.Oauth2ServerErrorResponseError({
-        error: import_oauth220.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth222.Oauth2ServerErrorResponseError({
+        error: import_oauth222.Oauth2ErrorCodes.InvalidRequest,
         error_description: "Missing required iss in JARM configuration for creating OpenID4VP authorization response."
       });
     }
     if (!jarm.audience) {
-      throw new import_oauth220.Oauth2ServerErrorResponseError({
-        error: import_oauth220.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth222.Oauth2ServerErrorResponseError({
+        error: import_oauth222.Oauth2ErrorCodes.InvalidRequest,
         error_description: "Missing required aud in JARM configuration for creating OpenID4VP authorization response."
       });
     }
     additionalJwtPayload = {
       iss: jarm.authorizationServer,
       aud: jarm.audience,
-      exp: jarm.expiresInSeconds ?? (0, import_utils13.dateToSeconds)(addSecondsToDate(/* @__PURE__ */ new Date(), 60 * 10))
+      exp: jarm.expiresInSeconds ?? (0, import_utils14.dateToSeconds)(addSecondsToDate(/* @__PURE__ */ new Date(), 60 * 10))
       // default: 10 minutes
     };
   }
-  const jarmResponseParams = {
-    ...openid4vpAuthResponseParams,
+  const jarmResponsePayload = {
+    ...responsePayload,
     ...additionalJwtPayload
   };
   const result = await createJarmAuthResponse({
-    jarmAuthResponse: jarmResponseParams,
+    jarmAuthResponse: jarmResponsePayload,
     jwtSigner: jarm?.jwtSigner,
     jweEncryptor: jarm?.encryption && (supportedJarmMetadata.type === "encrypt" || supportedJarmMetadata.type === "sign_encrypt") ? {
       method: "jwk",
       publicJwk: clientMetaJwks.encJwk,
       apu: jarm.encryption?.nonce,
-      apv: requestParams.nonce,
+      apv: requestPayload.nonce,
       alg: supportedJarmMetadata.client_metadata.authorization_encrypted_response_alg,
       enc: supportedJarmMetadata.client_metadata.authorization_encrypted_response_enc
     } : void 0,
@@ -1201,32 +1381,32 @@ async function createOpenid4vpAuthorizationResponse(options) {
     }
   });
   return {
-    responseParams: jarmResponseParams,
+    responsePayload: jarmResponsePayload,
     jarm: { responseJwt: result.jarmAuthResponseJwt }
   };
 }
 
 // src/authorization-response/submit-authorization-response.ts
-var import_oauth222 = require("@openid4vc/oauth2");
-var import_utils15 = require("@openid4vc/utils");
+var import_oauth224 = require("@openid4vc/oauth2");
 var import_utils16 = require("@openid4vc/utils");
+var import_utils17 = require("@openid4vc/utils");
 
 // src/jarm/jarm-auth-response-send.ts
-var import_oauth221 = require("@openid4vc/oauth2");
-var import_utils14 = require("@openid4vc/utils");
+var import_oauth223 = require("@openid4vc/oauth2");
+var import_utils15 = require("@openid4vc/utils");
 var jarmAuthResponseSend = (options) => {
   const { authRequest, jarmAuthResponseJwt, callbacks } = options;
   const responseEndpoint = authRequest.response_uri ?? authRequest.redirect_uri;
   if (!responseEndpoint) {
-    throw new import_oauth221.Oauth2Error(`Either 'response_uri' or 'redirect_uri' MUST  be present in the authorization request`);
+    throw new import_oauth223.Oauth2Error(`Either 'response_uri' or 'redirect_uri' MUST  be present in the authorization request`);
   }
-  const responseEndpointUrl = new import_utils14.URL(responseEndpoint);
+  const responseEndpointUrl = new import_utils15.URL(responseEndpoint);
   return handleDirectPostJwt(responseEndpointUrl, jarmAuthResponseJwt, callbacks);
 };
 async function handleDirectPostJwt(responseEndpoint, responseJwt, callbacks) {
-  const response = await (callbacks.fetch ?? import_utils14.defaultFetcher)(responseEndpoint, {
+  const response = await (callbacks.fetch ?? import_utils15.defaultFetcher)(responseEndpoint, {
     method: "POST",
-    headers: { "Content-Type": import_utils14.ContentType.XWwwFormUrlencoded },
+    headers: { "Content-Type": import_utils15.ContentType.XWwwFormUrlencoded },
     body: `response=${responseJwt}`
   });
   return {
@@ -1237,27 +1417,27 @@ async function handleDirectPostJwt(responseEndpoint, responseJwt, callbacks) {
 
 // src/authorization-response/submit-authorization-response.ts
 async function submitOpenid4vpAuthorizationResponse(options) {
-  const { request, response, jarm, callbacks } = options;
-  const url = request.response_uri;
+  const { requestPayload, responsePayload, jarm, callbacks } = options;
+  const url = requestPayload.response_uri;
   if (jarm) {
     return jarmAuthResponseSend({
-      authRequest: request,
+      authRequest: requestPayload,
       jarmAuthResponseJwt: jarm.responseJwt,
       callbacks
     });
   }
   if (!url) {
-    throw new import_oauth222.Oauth2Error(
+    throw new import_oauth224.Oauth2Error(
       "Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided."
     );
   }
-  const fetch = callbacks.fetch ?? import_utils15.defaultFetcher;
-  const encodedResponse = (0, import_utils16.objectToQueryParams)(response);
+  const fetch = callbacks.fetch ?? import_utils16.defaultFetcher;
+  const encodedResponse = (0, import_utils17.objectToQueryParams)(responsePayload);
   const submissionResponse = await fetch(url, {
     method: "POST",
     body: encodedResponse,
     headers: {
-      "Content-Type": import_utils15.ContentType.XWwwFormUrlencoded
+      "Content-Type": import_utils16.ContentType.XWwwFormUrlencoded
     }
   });
   return {
@@ -1267,33 +1447,33 @@ async function submitOpenid4vpAuthorizationResponse(options) {
 }
 
 // src/authorization-response/validate-authorization-response.ts
-var import_oauth225 = require("@openid4vc/oauth2");
+var import_oauth227 = require("@openid4vc/oauth2");
 
 // src/vp-token/parse-presentations-from-vp-token.ts
-var import_oauth223 = require("@openid4vc/oauth2");
-var import_oauth224 = require("@openid4vc/oauth2");
-var import_utils17 = require("@openid4vc/utils");
-var import_zod16 = require("zod");
+var import_oauth225 = require("@openid4vc/oauth2");
+var import_oauth226 = require("@openid4vc/oauth2");
+var import_utils18 = require("@openid4vc/utils");
+var import_zod17 = require("zod");
 function parsePresentationsFromVpToken(options) {
   const { vpToken: _vpToken } = options;
-  const vpToken = (0, import_utils17.parseIfJson)(_vpToken);
+  const vpToken = (0, import_utils18.parseIfJson)(_vpToken);
   if (Array.isArray(vpToken)) {
     if (vpToken.length === 0) {
-      throw new import_oauth223.Oauth2Error("Could not parse vp_token. vp_token is an empty array.");
+      throw new import_oauth225.Oauth2Error("Could not parse vp_token. vp_token is an empty array.");
     }
     return vpToken.map((token, idx) => parseSinglePresentationFromVpToken({ vpToken: token, path: `$[${idx}]` }));
   }
   if (typeof vpToken === "string" || typeof vpToken === "object") {
     return [parseSinglePresentationFromVpToken({ vpToken, path: "$" })];
   }
-  throw new import_oauth223.Oauth2Error(
+  throw new import_oauth225.Oauth2Error(
     `Could not parse vp_token. Expected a string or an array of strings. Received: ${typeof vpToken}`
   );
 }
 function parseDcqlPresentationFromVpToken(options) {
   const { vpToken: _vpToken } = options;
-  const vpToken = (0, import_utils17.parseIfJson)(_vpToken);
-  const parsed = (0, import_utils17.parseWithErrorHandling)(import_zod16.z.object({}).passthrough(), vpToken);
+  const vpToken = (0, import_utils18.parseIfJson)(_vpToken);
+  const parsed = (0, import_utils18.parseWithErrorHandling)(import_zod17.z.object({}).passthrough(), vpToken);
   const dcqlPresentationRecord = Object.fromEntries(
     Object.entries(parsed).map(([key, value]) => {
       return [key, parseSinglePresentationFromVpToken({ vpToken: value })];
@@ -1303,25 +1483,25 @@ function parseDcqlPresentationFromVpToken(options) {
 }
 function parseSinglePresentationFromVpToken(options) {
   const { vpToken: _vpToken, path } = options;
-  const vpToken = (0, import_utils17.parseIfJson)(_vpToken);
-  const zLdpVpProof = import_zod16.z.object({ challenge: import_zod16.z.string().optional() }).passthrough();
-  const ldpVpParseResult = import_zod16.z.object({
-    "@context": import_zod16.z.string().optional(),
-    verifiableCredential: import_zod16.z.string().optional(),
-    proof: import_zod16.z.union([zLdpVpProof, import_zod16.z.array(zLdpVpProof)]).optional()
+  const vpToken = (0, import_utils18.parseIfJson)(_vpToken);
+  const zLdpVpProof = import_zod17.z.object({ challenge: import_zod17.z.string().optional() }).passthrough();
+  const ldpVpParseResult = import_zod17.z.object({
+    "@context": import_zod17.z.string().optional(),
+    verifiableCredential: import_zod17.z.string().optional(),
+    proof: import_zod17.z.union([zLdpVpProof, import_zod17.z.array(zLdpVpProof)]).optional()
   }).passthrough().safeParse(vpToken);
   if (ldpVpParseResult.success && (ldpVpParseResult.data["@context"] || ldpVpParseResult.data.verifiableCredential)) {
     const challenge = Array.isArray(ldpVpParseResult.data.proof) ? ldpVpParseResult.data.proof.map((proof) => proof.challenge) : ldpVpParseResult.data.proof?.challenge;
     if (Array.isArray(challenge)) {
       const allNoncesAreTheSame = challenge.every((nonce) => nonce === challenge[0]);
       if (!allNoncesAreTheSame) {
-        throw new import_oauth223.Oauth2Error(
+        throw new import_oauth225.Oauth2Error(
           "Failed to parse presentation from vp_token. LDP presentation is missing the proof.challenge parameter."
         );
       }
     }
     if (!challenge) {
-      throw new import_oauth223.Oauth2Error(
+      throw new import_oauth225.Oauth2Error(
         "Failed to parse presentation from vp_token. LDP presentation is missing the proof.challenge parameter."
       );
     }
@@ -1332,7 +1512,7 @@ function parseSinglePresentationFromVpToken(options) {
       nonce: Array.isArray(challenge) ? challenge[0] : challenge
     };
   }
-  if ((0, import_utils17.isObject)(vpToken) && (vpToken.schema_id || vpToken.cred_def_id)) {
+  if ((0, import_utils18.isObject)(vpToken) && (vpToken.schema_id || vpToken.cred_def_id)) {
     return {
       format: "ac_vp",
       presentation: vpToken,
@@ -1340,7 +1520,7 @@ function parseSinglePresentationFromVpToken(options) {
     };
   }
   if (typeof vpToken !== "string") {
-    throw new import_oauth223.Oauth2Error(
+    throw new import_oauth225.Oauth2Error(
       `Could not parse vp_token. Expected a string since the vp_token is neither a ldp_vp nor an ac_vp. Received: ${typeof vpToken}`
     );
   }
@@ -1349,7 +1529,7 @@ function parseSinglePresentationFromVpToken(options) {
     const keyBindingJwt = split[split.length - 1];
     let nonce;
     try {
-      const decoded = (0, import_oauth223.decodeJwt)({ jwt: keyBindingJwt });
+      const decoded = (0, import_oauth225.decodeJwt)({ jwt: keyBindingJwt });
       nonce = decoded.payload.nonce;
     } catch (error) {
       nonce = void 0;
@@ -1360,11 +1540,11 @@ function parseSinglePresentationFromVpToken(options) {
       path: options.path
     };
   }
-  const result = import_oauth224.zCompactJwt.safeParse(vpToken);
+  const result = import_oauth226.zCompactJwt.safeParse(vpToken);
   if (result.success) {
     let nonce;
     try {
-      const decoded = (0, import_oauth223.decodeJwt)({ jwt: vpToken });
+      const decoded = (0, import_oauth225.decodeJwt)({ jwt: vpToken });
       nonce = decoded.payload.nonce;
     } catch (error) {
       nonce = void 0;
@@ -1385,98 +1565,98 @@ function parseSinglePresentationFromVpToken(options) {
 
 // src/authorization-response/validate-authorization-response.ts
 function validateOpenid4vpAuthorizationResponse(options) {
-  const { authorizationRequest, authorizationResponse } = options;
-  if (!authorizationResponse.vp_token) {
-    throw new import_oauth225.Oauth2Error("Failed to verify OpenId4Vp Authorization Response. vp_token is missing.");
+  const { requestPayload, responsePayload } = options;
+  if (!responsePayload.vp_token) {
+    throw new import_oauth227.Oauth2Error("Failed to verify OpenId4Vp Authorization Response. vp_token is missing.");
   }
-  if ("state" in authorizationRequest && authorizationRequest.state !== authorizationResponse.state) {
-    throw new import_oauth225.Oauth2Error("OpenId4Vp Authorization Response state mismatch.");
+  if ("state" in requestPayload && requestPayload.state !== responsePayload.state) {
+    throw new import_oauth227.Oauth2Error("OpenId4Vp Authorization Response state mismatch.");
   }
-  if (authorizationResponse.id_token) {
-    throw new import_oauth225.Oauth2Error("OpenId4Vp Authorization Response id_token is not supported.");
+  if (responsePayload.id_token) {
+    throw new import_oauth227.Oauth2Error("OpenId4Vp Authorization Response id_token is not supported.");
   }
-  if (authorizationResponse.presentation_submission) {
-    if (!authorizationRequest.presentation_definition) {
-      throw new import_oauth225.Oauth2Error("OpenId4Vp Authorization Request is missing the required presentation_definition.");
+  if (responsePayload.presentation_submission) {
+    if (!requestPayload.presentation_definition) {
+      throw new import_oauth227.Oauth2Error("OpenId4Vp Authorization Request is missing the required presentation_definition.");
     }
-    const presentations = parsePresentationsFromVpToken({ vpToken: authorizationResponse.vp_token });
-    if (presentations.every((p) => p.nonce) && !presentations.every((p) => p.nonce === authorizationRequest.nonce)) {
-      throw new import_oauth225.Oauth2Error(
+    const presentations = parsePresentationsFromVpToken({ vpToken: responsePayload.vp_token });
+    if (presentations.every((p) => p.nonce) && !presentations.every((p) => p.nonce === requestPayload.nonce)) {
+      throw new import_oauth227.Oauth2Error(
         "Presentation nonce mismatch. The nonce of some presentations does not match the nonce of the request."
       );
     }
     return {
       type: "pex",
-      pex: "scope" in authorizationRequest && authorizationRequest.scope ? {
-        scope: authorizationRequest.scope,
-        presentationSubmission: authorizationResponse.presentation_submission,
+      pex: "scope" in requestPayload && requestPayload.scope ? {
+        scope: requestPayload.scope,
+        presentationSubmission: responsePayload.presentation_submission,
         presentations
       } : {
-        presentationDefinition: authorizationRequest.presentation_definition,
-        presentationSubmission: authorizationResponse.presentation_submission,
+        presentationDefinition: requestPayload.presentation_definition,
+        presentationSubmission: responsePayload.presentation_submission,
         presentations
       }
     };
   }
-  if (authorizationRequest.dcql_query) {
-    if (Array.isArray(authorizationResponse.vp_token)) {
-      throw new import_oauth225.Oauth2Error(
+  if (requestPayload.dcql_query) {
+    if (Array.isArray(responsePayload.vp_token)) {
+      throw new import_oauth227.Oauth2Error(
         "The OpenId4Vp Authorization Response contains multiple vp_token values. In combination with dcql this is not possible."
       );
     }
-    if (typeof authorizationResponse.vp_token !== "string" && typeof authorizationResponse.vp_token !== "object") {
-      throw new import_oauth225.Oauth2Error("With DCQL the vp_token must be a JSON-encoded object.");
+    if (typeof responsePayload.vp_token !== "string" && typeof responsePayload.vp_token !== "object") {
+      throw new import_oauth227.Oauth2Error("With DCQL the vp_token must be a JSON-encoded object.");
     }
-    const presentation = parseDcqlPresentationFromVpToken({ vpToken: authorizationResponse.vp_token });
-    if (Object.values(presentation).every((p) => p.nonce) && !Object.values(presentation).every((p) => p.nonce === authorizationRequest.nonce)) {
-      throw new import_oauth225.Oauth2Error(
+    const presentation = parseDcqlPresentationFromVpToken({ vpToken: responsePayload.vp_token });
+    if (Object.values(presentation).every((p) => p.nonce) && !Object.values(presentation).every((p) => p.nonce === requestPayload.nonce)) {
+      throw new import_oauth227.Oauth2Error(
         "Presentation nonce mismatch. The nonce of some presentations does not match the nonce of the request."
       );
     }
     return {
       type: "dcql",
-      dcql: "scope" in authorizationRequest && authorizationRequest.scope ? {
-        scope: authorizationRequest.scope,
+      dcql: "scope" in requestPayload && requestPayload.scope ? {
+        scope: requestPayload.scope,
         presentation
       } : {
-        query: authorizationRequest.dcql_query,
+        query: requestPayload.dcql_query,
         presentation
       }
     };
   }
-  throw new import_oauth225.Oauth2Error(
+  throw new import_oauth227.Oauth2Error(
     "Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor a dcql_query."
   );
 }
 
 // src/authorization-response/parse-authorization-response.ts
-var import_oauth227 = require("@openid4vc/oauth2");
+var import_oauth229 = require("@openid4vc/oauth2");
 
 // src/authorization-response/parse-authorization-response-payload.ts
-var import_utils18 = require("@openid4vc/utils");
+var import_utils19 = require("@openid4vc/utils");
 
 // src/authorization-response/z-authorization-response.ts
-var import_zod18 = require("zod");
+var import_zod19 = require("zod");
 
 // src/vp-token/z-vp-token.ts
-var import_zod17 = require("zod");
-var zVpToken = import_zod17.z.union([import_zod17.z.string(), import_zod17.z.array(import_zod17.z.union([import_zod17.z.string(), import_zod17.z.record(import_zod17.z.any())])), import_zod17.z.record(import_zod17.z.any())]);
+var import_zod18 = require("zod");
+var zVpToken = import_zod18.z.union([import_zod18.z.string(), import_zod18.z.array(import_zod18.z.union([import_zod18.z.string(), import_zod18.z.record(import_zod18.z.any())])), import_zod18.z.record(import_zod18.z.any())]);
 
 // src/authorization-response/z-authorization-response.ts
-var zOpenid4vpAuthorizationResponse = import_zod18.z.object({
-  state: import_zod18.z.string().optional(),
-  id_token: import_zod18.z.string().optional(),
+var zOpenid4vpAuthorizationResponse = import_zod19.z.object({
+  state: import_zod19.z.string().optional(),
+  id_token: import_zod19.z.string().optional(),
   vp_token: zVpToken,
-  presentation_submission: import_zod18.z.unknown().optional(),
-  refresh_token: import_zod18.z.string().optional(),
-  token_type: import_zod18.z.string().optional(),
-  access_token: import_zod18.z.string().optional(),
-  expires_in: import_zod18.z.number().optional()
+  presentation_submission: import_zod19.z.unknown().optional(),
+  refresh_token: import_zod19.z.string().optional(),
+  token_type: import_zod19.z.string().optional(),
+  access_token: import_zod19.z.string().optional(),
+  expires_in: import_zod19.z.number().optional()
 }).passthrough();
 
 // src/authorization-response/parse-authorization-response-payload.ts
 function parseOpenid4VpAuthorizationResponsePayload(payload) {
-  return (0, import_utils18.parseWithErrorHandling)(
+  return (0, import_utils19.parseWithErrorHandling)(
     zOpenid4vpAuthorizationResponse,
     payload,
     "Failed to parse openid4vp authorization response."
@@ -1484,19 +1664,19 @@ function parseOpenid4VpAuthorizationResponsePayload(payload) {
 }
 
 // src/authorization-response/parse-jarm-authorization-response.ts
-var import_oauth226 = require("@openid4vc/oauth2");
-var import_utils19 = require("@openid4vc/utils");
-var import_zod19 = __toESM(require("zod"));
+var import_oauth228 = require("@openid4vc/oauth2");
+var import_utils20 = require("@openid4vc/utils");
+var import_zod20 = __toESM(require("zod"));
 async function parseJarmAuthorizationResponse(options) {
   const { jarmResponseJwt, callbacks } = options;
-  const jarmAuthorizationResponseJwt = (0, import_utils19.parseWithErrorHandling)(
-    import_zod19.default.union([import_oauth226.zCompactJwt, import_oauth226.zCompactJwe]),
+  const jarmAuthorizationResponseJwt = (0, import_utils20.parseWithErrorHandling)(
+    import_zod20.default.union([import_oauth228.zCompactJwt, import_oauth228.zCompactJwe]),
     jarmResponseJwt,
     "Invalid jarm authorization response jwt."
   );
   const verifiedJarmResponse = await verifyJarmAuthorizationResponse({ jarmAuthorizationResponseJwt, callbacks });
-  const zJarmHeader = import_zod19.default.object({ ...import_oauth226.zJwtHeader.shape, apu: import_zod19.default.string().optional(), apv: import_zod19.default.string().optional() });
-  const { header: jarmHeader } = (0, import_oauth226.decodeJwtHeader)({
+  const zJarmHeader = import_zod20.default.object({ ...import_oauth228.zJwtHeader.shape, apu: import_zod20.default.string().optional(), apv: import_zod20.default.string().optional() });
+  const { header: jarmHeader } = (0, import_oauth228.decodeJwtHeader)({
     jwt: jarmAuthorizationResponseJwt,
     headerSchema: zJarmHeader
   });
@@ -1504,27 +1684,27 @@ async function parseJarmAuthorizationResponse(options) {
     authorizationRequest: verifiedJarmResponse.authorizationRequest
   });
   if (parsedAuthorizationRequest.type !== "openid4vp" && parsedAuthorizationRequest.type !== "openid4vp_dc_api") {
-    throw new import_oauth226.Oauth2Error("Invalid authorization request. Could not parse openid4vp authorization request.");
+    throw new import_oauth228.Oauth2Error("Invalid authorization request. Could not parse openid4vp authorization request.");
   }
   const authResponsePayload = parseOpenid4VpAuthorizationResponsePayload(verifiedJarmResponse.jarmAuthResponse);
   const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponse({
-    authorizationRequest: parsedAuthorizationRequest.params,
-    authorizationResponse: authResponsePayload
+    requestPayload: parsedAuthorizationRequest.params,
+    responsePayload: authResponsePayload
   });
   const authRequestPayload = parsedAuthorizationRequest.params;
   if (!authRequestPayload.response_mode || !isJarmResponseMode(authRequestPayload.response_mode)) {
-    throw new import_oauth226.Oauth2Error(
+    throw new import_oauth228.Oauth2Error(
       `Invalid response mode for jarm response. Response mode: '${authRequestPayload.response_mode ?? "fragment"}'`
     );
   }
   let mdocGeneratedNonce = void 0;
   if (jarmHeader?.apu) {
-    mdocGeneratedNonce = (0, import_utils19.encodeToUtf8String)((0, import_utils19.decodeBase64)(jarmHeader.apu));
+    mdocGeneratedNonce = (0, import_utils20.encodeToUtf8String)((0, import_utils20.decodeBase64)(jarmHeader.apu));
   }
   if (jarmHeader?.apv) {
-    const jarmRequestNonce = (0, import_utils19.encodeToUtf8String)((0, import_utils19.decodeBase64)(jarmHeader.apv));
+    const jarmRequestNonce = (0, import_utils20.encodeToUtf8String)((0, import_utils20.decodeBase64)(jarmHeader.apv));
     if (jarmRequestNonce !== authRequestPayload.nonce) {
-      throw new import_oauth226.Oauth2Error("The nonce in the jarm header does not match the nonce in the request.");
+      throw new import_oauth228.Oauth2Error("The nonce in the jarm header does not match the nonce in the request.");
     }
   }
   return {
@@ -1545,15 +1725,15 @@ async function parseOpenid4vpAuthorizationResponse(options) {
   const { authorizationRequest } = await callbacks.getOpenid4vpAuthorizationRequest(authResponsePayload);
   const parsedAuthRequest = parseOpenid4vpAuthorizationRequestPayload({ authorizationRequest });
   if (parsedAuthRequest.type !== "openid4vp" && parsedAuthRequest.type !== "openid4vp_dc_api") {
-    throw new import_oauth227.Oauth2Error("Invalid authorization request. Could not parse openid4vp authorization request.");
+    throw new import_oauth229.Oauth2Error("Invalid authorization request. Could not parse openid4vp authorization request.");
   }
   const authRequestPayload = parsedAuthRequest.params;
   const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponse({
-    authorizationRequest: authRequestPayload,
-    authorizationResponse: authResponsePayload
+    requestPayload: authRequestPayload,
+    responsePayload: authResponsePayload
   });
   if (authRequestPayload.response_mode && isJarmResponseMode(authRequestPayload.response_mode)) {
-    throw new import_oauth227.Oauth2ServerErrorResponseError(
+    throw new import_oauth229.Oauth2ServerErrorResponseError(
       {
         error: "invalid_request",
         error_description: "Invalid response mode for openid4vp response. Expected jarm response."
@@ -1616,23 +1796,12 @@ var Openid4vpVerifier = class {
 };
 
 // src/models/z-credential-formats.ts
-var import_zod20 = require("zod");
-var zCredentialFormat = import_zod20.z.enum(["jwt_vc_json", "ldp_vc", "ac_vc", "mso_mdoc", "dc+sd-jwt"]);
-
-// src/models/z-proof-formats.ts
 var import_zod21 = require("zod");
-var zProofFormat = import_zod21.z.enum(["jwt_vp_json", "ldc_vp", "ac_vp", "dc+sd-jwt", "mso_mdoc"]);
+var zCredentialFormat = import_zod21.z.enum(["jwt_vc_json", "ldp_vc", "ac_vc", "mso_mdoc", "dc+sd-jwt", "vc+sd-jwt"]);
 
-// src/models/z-wallet-metadata.ts
+// src/models/z-proof-formats.ts
 var import_zod22 = require("zod");
-var zWalletMetadata = import_zod22.z.object({
-  presentation_definition_uri_supported: import_zod22.z.optional(import_zod22.z.boolean()),
-  vp_formats_supported: zVpFormatsSupported,
-  client_id_schemes_supported: import_zod22.z.optional(import_zod22.z.array(zClientIdScheme)),
-  request_object_signing_alg_values_supported: import_zod22.z.optional(import_zod22.z.array(import_zod22.z.string())),
-  authorization_encryption_alg_values_supported: import_zod22.z.optional(import_zod22.z.array(import_zod22.z.string())),
-  authorization_encryption_enc_values_supported: import_zod22.z.optional(import_zod22.z.array(import_zod22.z.string()))
-});
+var zProofFormat = import_zod22.z.enum(["jwt_vp_json", "ldc_vp", "ac_vp", "dc+sd-jwt", "vc+sd-jwt", "mso_mdoc"]);
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   Openid4vpClient,