@openid4vc/openid4vp 0.3.0-alpha-20250225204254 → 0.3.0-alpha-20250303091928

package/dist/index.mjs

@@ -345,9 +345,19 @@ var zOpenid4vpAuthorizationRequest = z7.object({
   presentation_definition_uri: zHttpsUrl3.optional(),
   dcql_query: z7.record(z7.any()).optional(),
   client_metadata: zClientMetadata.optional(),
+  client_metadata_uri: zHttpsUrl3.optional(),
   state: z7.string().optional(),
   transaction_data: z7.array(z7.string()).optional(),
-  trust_chain: z7.unknown().optional()
+  trust_chain: z7.unknown().optional(),
+  client_id_scheme: z7.enum([
+    "pre-registered",
+    "redirect_uri",
+    "entity_id",
+    "did",
+    "verifier_attestation",
+    "x509_san_dns",
+    "x509_san_uri"
+  ]).optional()
 }).passthrough();
 
 // src/authorization-request/z-authorization-request-dc-api.ts
@@ -364,21 +374,30 @@ var zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest.pick({
 }).extend({
   client_id: z8.optional(z8.string()),
   expected_origins: z8.array(z8.string()).optional(),
-  response_mode: z8.enum(["dc_api", "dc_api.jwt"])
+  response_mode: z8.enum(["dc_api", "dc_api.jwt", "w3c_dc_api.jwt", "w3c_dc_api"]),
+  client_id_scheme: z8.enum([
+    "pre-registered",
+    "redirect_uri",
+    "entity_id",
+    "did",
+    "verifier_attestation",
+    "x509_san_dns",
+    "x509_san_uri"
+  ]).optional()
 }).strip();
 function isOpenid4vpAuthorizationRequestDcApi(request) {
-  return request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt";
+  return request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt" || request.response_mode === "w3c_dc_api.jwt" || request.response_mode === "w3c_dc_api";
 }
 
 // src/authorization-request/create-authorization-request.ts
 async function createOpenid4vpAuthorizationRequest(options) {
-  const { jar, scheme = "openid4vp://", requestParams, wallet, callbacks } = options;
+  const { jar, scheme = "openid4vp://", requestPayload, wallet, callbacks } = options;
   let additionalJwtPayload;
   let authRequestParams;
-  if (isOpenid4vpAuthorizationRequestDcApi(requestParams)) {
+  if (isOpenid4vpAuthorizationRequestDcApi(requestPayload)) {
     authRequestParams = parseWithErrorHandling2(
       zOpenid4vpAuthorizationRequestDcApi,
-      requestParams,
+      requestPayload,
       "Invalid authorization request. Could not parse openid4vp dc_api authorization request."
     );
     if (jar && !authRequestParams.expected_origins) {
@@ -394,7 +413,7 @@ async function createOpenid4vpAuthorizationRequest(options) {
   } else {
     authRequestParams = parseWithErrorHandling2(
       zOpenid4vpAuthorizationRequest,
-      requestParams,
+      requestPayload,
       "Invalid authorization request. Could not parse openid4vp authorization request."
     );
     validateOpenid4vpAuthorizationRequestPayload({ params: authRequestParams, walletVerificationOptions: wallet });
@@ -407,7 +426,7 @@ async function createOpenid4vpAuthorizationRequest(options) {
   if (jar) {
     const jarResult = await createJarAuthRequest({
       ...jar,
-      authRequestParams: requestParams,
+      authRequestParams: requestPayload,
       additionalJwtPayload,
       callbacks
     });
@@ -425,10 +444,10 @@ async function createOpenid4vpAuthorizationRequest(options) {
   const url = new URL(scheme);
   url.search = `?${new URLSearchParams([
     ...url.searchParams.entries(),
-    ...objectToQueryParams(requestParams).entries()
+    ...objectToQueryParams(requestPayload).entries()
   ]).toString()}`;
   return {
-    authRequestObject: requestParams,
+    authRequestObject: requestPayload,
     authRequest: url.toString(),
     jar: void 0
   };
@@ -514,17 +533,82 @@ function parseOpenid4vpAuthorizationRequestPayload(options) {
 }
 
 // src/authorization-request/resolve-authorization-request.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes7, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError8 } from "@openid4vc/oauth2";
+import { Oauth2ErrorCodes as Oauth2ErrorCodes9, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError10 } from "@openid4vc/oauth2";
 import { parseWithErrorHandling as parseWithErrorHandling4 } from "@openid4vc/utils";
-import z14 from "zod";
+import z15 from "zod";
+
+// src/client-identifier-scheme/parse-client-identifier-scheme.ts
+import { Oauth2ErrorCodes as Oauth2ErrorCodes4, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError5, getGlobalConfig } from "@openid4vc/oauth2";
+
+// src/version.ts
+import { Oauth2ErrorCodes as Oauth2ErrorCodes3, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError4 } from "@openid4vc/oauth2";
+function parseAuthorizationRequestVersion(request) {
+  const requirements = [];
+  const vp_formats = request.client_metadata?.vp_formats;
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
+    requirements.push(["<", 23]);
+    requirements.push([">=", 21]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt") {
+    requirements.push([">=", 23]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
+    requirements.push([">=", 23]);
+  }
+  if (request.dcql_query) {
+    requirements.push([">=", 22]);
+  }
+  if (request.transaction_data) {
+    requirements.push([">=", 22]);
+  }
+  if (request.client_id_scheme) {
+    requirements.push(["<", 22]);
+  }
+  if (request.client_id) {
+    const colonIndex = request.client_id.indexOf(":");
+    const schemePart = request.client_id.substring(0, colonIndex);
+    const parsedScheme = zClientIdScheme.safeParse(schemePart);
+    if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") {
+      requirements.push([">=", 22]);
+    }
+  }
+  if (!request.client_id) {
+    requirements.push([">=", 21]);
+  }
+  if ("client_metadata_uri" in request) {
+    requirements.push(["<", 21]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request)) {
+    requirements.push([">=", 21]);
+  }
+  if ("request_uri_method" in request || "wallet_nonce" in request) {
+    requirements.push([">=", 21]);
+  }
+  if (request.client_id_scheme === "verifier_attestation") {
+    requirements.push([">=", 20]);
+  }
+  if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") {
+    requirements.push([">=", 19]);
+  }
+  const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
+  const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
+  const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 24;
+  const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
+  if (lowestRequiredVersion > highestPossibleVersion) {
+    throw new Oauth2ServerErrorResponseError4({
+      error: Oauth2ErrorCodes3.InvalidRequest,
+      error_description: "Could not infer openid4vp version from the openid4vp request payload."
+    });
+  }
+  return highestPossibleVersion;
+}
 
 // src/client-identifier-scheme/parse-client-identifier-scheme.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes3, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError4, getGlobalConfig } from "@openid4vc/oauth2";
 function getClientId(options) {
   if (isOpenid4vpAuthorizationRequestDcApi(options.request)) {
     if (!options.origin) {
-      throw new Oauth2ServerErrorResponseError4({
-        error: Oauth2ErrorCodes3.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError5({
+        error: Oauth2ErrorCodes4.InvalidRequest,
         error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
       });
     }
@@ -533,10 +617,48 @@ function getClientId(options) {
   }
   return options.request.client_id;
 }
+function getLegacyClientId(options) {
+  const legacyClientIdScheme = options.request.client_id_scheme ?? "pre-registered";
+  let clientIdScheme;
+  if (legacyClientIdScheme === "entity_id") {
+    clientIdScheme = "https";
+  } else {
+    clientIdScheme = legacyClientIdScheme;
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(options.request)) {
+    if (!options.origin) {
+      throw new Oauth2ServerErrorResponseError5({
+        error: Oauth2ErrorCodes4.InvalidRequest,
+        error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
+      });
+    }
+    if (!options.jar || !options.request.client_id) return `web-origin:${options.origin}`;
+    return `${clientIdScheme}:${options.request.client_id}`;
+  }
+  if (clientIdScheme === "https" || clientIdScheme === "did") {
+    return options.request.client_id;
+  }
+  if (clientIdScheme === "pre-registered") {
+    return options.request.client_id;
+  }
+  return `${clientIdScheme}:${options.request.client_id}`;
+}
 function parseClientIdentifier(options, parserConfig) {
   const { request, jar } = options;
+  const version = parseAuthorizationRequestVersion(request);
+  if (version < 22) {
+    const legacyClientIdScheme = request.client_id_scheme ?? "pre-registered";
+    let clientIdSchem;
+    if (legacyClientIdScheme) {
+      if (legacyClientIdScheme === "entity_id") {
+        clientIdSchem = "https";
+      } else {
+        clientIdSchem = legacyClientIdScheme;
+      }
+    }
+  }
   const isDcApiRequest = isOpenid4vpAuthorizationRequestDcApi(request);
-  const clientId = getClientId(options);
+  const clientId = version < 22 ? getLegacyClientId(options) : getClientId(options);
   const parserConfigWithDefaults = {
     supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdScheme.options)
   };
@@ -552,22 +674,22 @@ function parseClientIdentifier(options, parserConfig) {
   const schemePart = clientId.substring(0, colonIndex);
   const identifierPart = clientId.substring(colonIndex + 1);
   if (!parserConfigWithDefaults.supportedSchemes.includes(schemePart)) {
-    throw new Oauth2ServerErrorResponseError4({
-      error: Oauth2ErrorCodes3.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError5({
+      error: Oauth2ErrorCodes4.InvalidRequest,
       error_description: `Unsupported client identifier scheme. ${schemePart} is not supported.`
     });
   }
   const scheme = schemePart;
   if (scheme === "https") {
     if (isDcApiRequest) {
-      throw new Oauth2ServerErrorResponseError4({
-        error: Oauth2ErrorCodes3.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError5({
+        error: Oauth2ErrorCodes4.InvalidRequest,
         error_description: `The client identifier scheme 'https' is not supported when using the dc_api response mode.`
       });
     }
     if (!clientId.startsWith("https://") && !(getGlobalConfig().allowInsecureUrls && clientId.startsWith("http://"))) {
-      throw new Oauth2ServerErrorResponseError4({
-        error: Oauth2ErrorCodes3.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError5({
+        error: Oauth2ErrorCodes4.InvalidRequest,
         error_description: "Invalid client identifier. Client identifier must start with https:// or http:// if allowInsecureUrls is true."
       });
     }
@@ -580,14 +702,14 @@ function parseClientIdentifier(options, parserConfig) {
   }
   if (scheme === "redirect_uri") {
     if (jar) {
-      throw new Oauth2ServerErrorResponseError4({
-        error: Oauth2ErrorCodes3.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError5({
+        error: Oauth2ErrorCodes4.InvalidRequest,
         error_description: 'Using client identifier scheme "redirect_uri" the request MUST NOT be signed.'
       });
     }
     if (isOpenid4vpAuthorizationRequestDcApi(request)) {
-      throw new Oauth2ServerErrorResponseError4({
-        error: Oauth2ErrorCodes3.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError5({
+        error: Oauth2ErrorCodes4.InvalidRequest,
         error_description: `The client identifier scheme 'redirect_uri' is not supported when using the dc_api response mode.`
       });
     }
@@ -600,26 +722,26 @@ function parseClientIdentifier(options, parserConfig) {
   }
   if (scheme === "did") {
     if (!jar) {
-      throw new Oauth2ServerErrorResponseError4({
-        error: Oauth2ErrorCodes3.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError5({
+        error: Oauth2ErrorCodes4.InvalidRequest,
         error_description: 'Using client identifier scheme "did" requires a signed JAR request.'
       });
     }
     if (!clientId.startsWith("did:")) {
-      throw new Oauth2ServerErrorResponseError4({
-        error: Oauth2ErrorCodes3.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError5({
+        error: Oauth2ErrorCodes4.InvalidRequest,
         error_description: "Invalid client identifier. Client identifier must start with 'did:'"
       });
     }
     if (!jar.signer.publicJwk.kid) {
-      throw new Oauth2ServerErrorResponseError4({
-        error: Oauth2ErrorCodes3.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError5({
+        error: Oauth2ErrorCodes4.InvalidRequest,
         error_description: `Missing required 'kid' for client identifier scheme: did`
       });
     }
     if (!jar.signer.publicJwk.kid?.startsWith(clientId)) {
-      throw new Oauth2ServerErrorResponseError4({
-        error: Oauth2ErrorCodes3.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError5({
+        error: Oauth2ErrorCodes4.InvalidRequest,
         error_description: 'With client identifier scheme "did" the JAR request must be signed by the same DID as the client identifier.'
       });
     }
@@ -632,22 +754,22 @@ function parseClientIdentifier(options, parserConfig) {
   }
   if (scheme === "x509_san_dns" || scheme === "x509_san_uri") {
     if (!jar) {
-      throw new Oauth2ServerErrorResponseError4({
-        error: Oauth2ErrorCodes3.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError5({
+        error: Oauth2ErrorCodes4.InvalidRequest,
         error_description: 'Using client identifier scheme "x509_san_dns" or "x509_san_uri" requires a signed JAR request.'
       });
     }
     if (jar.signer.method !== "x5c") {
-      throw new Oauth2ServerErrorResponseError4({
-        error: Oauth2ErrorCodes3.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError5({
+        error: Oauth2ErrorCodes4.InvalidRequest,
         error_description: "Something went wrong. The JWT signer method is not x5c but the client identifier scheme is x509_san_dns."
       });
     }
     if (scheme === "x509_san_dns") {
       if (!options.callbacks.getX509CertificateMetadata) {
-        throw new Oauth2ServerErrorResponseError4(
+        throw new Oauth2ServerErrorResponseError5(
           {
-            error: Oauth2ErrorCodes3.ServerError
+            error: Oauth2ErrorCodes4.ServerError
           },
           {
             internalMessage: "Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_dns' client id scheme"
@@ -656,25 +778,25 @@ function parseClientIdentifier(options, parserConfig) {
       }
       const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
       if (!sanDnsNames.includes(identifierPart)) {
-        throw new Oauth2ServerErrorResponseError4({
-          error: Oauth2ErrorCodes3.InvalidRequest,
-          error_description: "Invalid client identifier. Client identifier must be a valid DNS name."
+        throw new Oauth2ServerErrorResponseError5({
+          error: Oauth2ErrorCodes4.InvalidRequest,
+          error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(", ")}] must match the client identifier '${identifierPart}'. `
         });
       }
       if (!isOpenid4vpAuthorizationRequestDcApi(request)) {
         const uri = request.redirect_uri ?? request.response_uri;
         if (!uri || getDomainFromUrl(uri) !== identifierPart) {
-          throw new Oauth2ServerErrorResponseError4({
-            error: Oauth2ErrorCodes3.InvalidRequest,
+          throw new Oauth2ServerErrorResponseError5({
+            error: Oauth2ErrorCodes4.InvalidRequest,
             error_description: "Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns."
           });
         }
       }
     } else if (scheme === "x509_san_uri") {
       if (!options.callbacks.getX509CertificateMetadata) {
-        throw new Oauth2ServerErrorResponseError4(
+        throw new Oauth2ServerErrorResponseError5(
           {
-            error: Oauth2ErrorCodes3.ServerError
+            error: Oauth2ErrorCodes4.ServerError
           },
           {
             internalMessage: "Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_uri' client id scheme"
@@ -683,16 +805,16 @@ function parseClientIdentifier(options, parserConfig) {
       }
       const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
       if (!sanUriNames.includes(identifierPart)) {
-        throw new Oauth2ServerErrorResponseError4({
-          error: Oauth2ErrorCodes3.InvalidRequest,
-          error_description: "Invalid client identifier. Client identifier must be a valid URI."
+        throw new Oauth2ServerErrorResponseError5({
+          error: Oauth2ErrorCodes4.InvalidRequest,
+          error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(", ")}] must match the client identifier '${identifierPart}'.`
         });
       }
       if (!isOpenid4vpAuthorizationRequestDcApi(request)) {
         const uri = request.redirect_uri || request.response_uri;
         if (!uri || uri !== identifierPart) {
-          throw new Oauth2ServerErrorResponseError4({
-            error: Oauth2ErrorCodes3.InvalidRequest,
+          throw new Oauth2ServerErrorResponseError5({
+            error: Oauth2ErrorCodes4.InvalidRequest,
             error_description: "The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri"
           });
         }
@@ -715,8 +837,8 @@ function parseClientIdentifier(options, parserConfig) {
   }
   if (scheme === "verifier_attestation") {
     if (!jar) {
-      throw new Oauth2ServerErrorResponseError4({
-        error: Oauth2ErrorCodes3.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError5({
+        error: Oauth2ErrorCodes4.InvalidRequest,
         error_description: 'Using client identifier scheme "verifier_attestation" requires a signed JAR request.'
       });
     }
@@ -733,17 +855,57 @@ function getDomainFromUrl(url) {
     const domain = url.split("://")[1].split(regex)[0];
     return domain;
   } catch (error) {
-    throw new Oauth2ServerErrorResponseError4({
-      error: Oauth2ErrorCodes3.ServerError,
+    throw new Oauth2ServerErrorResponseError5({
+      error: Oauth2ErrorCodes4.ServerError,
       error_description: `Url '${url}' is not a valid URL`
     });
   }
 }
 
+// src/fetch-client-metadata.ts
+import { Oauth2ErrorCodes as Oauth2ErrorCodes5, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError6 } from "@openid4vc/oauth2";
+import { ContentType, createZodFetcher } from "@openid4vc/utils";
+
+// src/models/z-wallet-metadata.ts
+import { z as z11 } from "zod";
+var zWalletMetadata = z11.object({
+  presentation_definition_uri_supported: z11.optional(z11.boolean()),
+  vp_formats_supported: zVpFormatsSupported,
+  client_id_schemes_supported: z11.optional(z11.array(zClientIdScheme)),
+  request_object_signing_alg_values_supported: z11.optional(z11.array(z11.string())),
+  authorization_encryption_alg_values_supported: z11.optional(z11.array(z11.string())),
+  authorization_encryption_enc_values_supported: z11.optional(z11.array(z11.string()))
+});
+
+// src/fetch-client-metadata.ts
+async function fetchClientMetadata(options) {
+  const { fetch, clientMetadataUri } = options;
+  const fetcher = createZodFetcher(fetch);
+  const { result, response } = await fetcher(zWalletMetadata, ContentType.Json, clientMetadataUri, {
+    method: "GET",
+    headers: {
+      Accept: ContentType.Json
+    }
+  });
+  if (!response.ok) {
+    throw new Oauth2ServerErrorResponseError6({
+      error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,
+      error: Oauth2ErrorCodes5.InvalidRequestUri
+    });
+  }
+  if (!result || !result.success) {
+    throw new Oauth2ServerErrorResponseError6({
+      error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,
+      error: Oauth2ErrorCodes5.InvalidRequestObject
+    });
+  }
+  return result.data;
+}
+
 // src/jar/handle-jar-request/verify-jar-request.ts
 import {
-  Oauth2ErrorCodes as Oauth2ErrorCodes5,
-  Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError6,
+  Oauth2ErrorCodes as Oauth2ErrorCodes7,
+  Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError8,
   decodeJwt as decodeJwt3,
   jwtSignerFromJwt as jwtSignerFromJwt2,
   verifyJwt,
@@ -752,35 +914,35 @@ import {
 } from "@openid4vc/oauth2";
 
 // src/jar/jar-request-object/fetch-jar-request-object.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes4, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError5 } from "@openid4vc/oauth2";
-import { ContentType, createZodFetcher, objectToQueryParams as objectToQueryParams2 } from "@openid4vc/utils";
-import { z as z11 } from "zod";
+import { Oauth2ErrorCodes as Oauth2ErrorCodes6, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError7 } from "@openid4vc/oauth2";
+import { ContentType as ContentType2, createZodFetcher as createZodFetcher2, objectToQueryParams as objectToQueryParams2 } from "@openid4vc/utils";
+import { z as z12 } from "zod";
 async function fetchJarRequestObject(options) {
   const { requestUri, clientIdentifierScheme, method, wallet, fetch } = options;
-  const fetcher = createZodFetcher(fetch);
+  const fetcher = createZodFetcher2(fetch);
   let requestBody = wallet.metadata ? { wallet_metadata: wallet.metadata, wallet_nonce: wallet.nonce } : void 0;
   if (requestBody?.wallet_metadata?.request_object_signing_alg_values_supported && clientIdentifierScheme === "redirect_uri") {
     const { request_object_signing_alg_values_supported, ...rest } = requestBody.wallet_metadata;
     requestBody = { ...requestBody, wallet_metadata: { ...rest } };
   }
-  const { result, response } = await fetcher(z11.string(), ContentType.OAuthRequestObjectJwt, requestUri, {
+  const { result, response } = await fetcher(z12.string(), ContentType2.OAuthRequestObjectJwt, requestUri, {
     method,
     headers: {
-      Accept: `${ContentType.OAuthRequestObjectJwt}, ${ContentType.Jwt};q=0.9`,
-      "Content-Type": ContentType.XWwwFormUrlencoded
+      Accept: `${ContentType2.OAuthRequestObjectJwt}, ${ContentType2.Jwt};q=0.9`,
+      "Content-Type": ContentType2.XWwwFormUrlencoded
     },
     body: method === "POST" ? objectToQueryParams2(wallet.metadata ?? {}) : void 0
   });
   if (!response.ok) {
-    throw new Oauth2ServerErrorResponseError5({
+    throw new Oauth2ServerErrorResponseError7({
       error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,
-      error: Oauth2ErrorCodes4.InvalidRequestUri
+      error: Oauth2ErrorCodes6.InvalidRequestUri
     });
   }
   if (!result || !result.success) {
-    throw new Oauth2ServerErrorResponseError5({
+    throw new Oauth2ServerErrorResponseError7({
       error_description: `Parsing request_object from request_uri '${requestUri}' failed.`,
-      error: Oauth2ErrorCodes4.InvalidRequestObject
+      error: Oauth2ErrorCodes6.InvalidRequestObject
     });
   }
   return result.data;
@@ -788,10 +950,10 @@ async function fetchJarRequestObject(options) {
 
 // src/jar/jar-request-object/z-jar-request-object.ts
 import { zJwtPayload as zJwtPayload2 } from "@openid4vc/oauth2";
-import { z as z12 } from "zod";
-var zJarRequestObjectPayload = z12.object({
+import { z as z13 } from "zod";
+var zJarRequestObjectPayload = z13.object({
   ...zJwtPayload2.shape,
-  client_id: z12.string()
+  client_id: z13.string()
 }).passthrough();
 
 // src/jar/handle-jar-request/verify-jar-request.ts
@@ -802,8 +964,8 @@ async function verifyJarRequest(options) {
   const clientIdentifierScheme = jarRequestParams.client_id ? zClientIdScheme.parse(jarRequestParams.client_id.split(":")[0]) : "web-origin";
   const method = jarRequestParams.request_uri_method ?? "GET";
   if (method !== "GET" && method !== "POST") {
-    throw new Oauth2ServerErrorResponseError6({
-      error: Oauth2ErrorCodes5.InvalidRequestUriMethod,
+    throw new Oauth2ServerErrorResponseError8({
+      error: Oauth2ErrorCodes7.InvalidRequestUriMethod,
       error_description: "Invalid request_uri_method. Must be GET or POST."
     });
   }
@@ -817,8 +979,8 @@ async function verifyJarRequest(options) {
   const { decryptionJwk, payload: decryptedRequestObject } = requestObjectIsEncrypted ? await decryptJarRequest({ jwe: requestObject, callbacks }) : { payload: requestObject, decryptionJwk: void 0 };
   const requestIsSigned = zCompactJwt2.safeParse(decryptedRequestObject).success;
   if (!requestIsSigned) {
-    throw new Oauth2ServerErrorResponseError6({
-      error: Oauth2ErrorCodes5.InvalidRequestObject,
+    throw new Oauth2ServerErrorResponseError8({
+      error: Oauth2ErrorCodes7.InvalidRequestObject,
       error_description: "Jar Request Object is not a valid JWS."
     });
   }
@@ -827,14 +989,14 @@ async function verifyJarRequest(options) {
     callbacks
   });
   if (!authRequestParams.client_id) {
-    throw new Oauth2ServerErrorResponseError6({
-      error: Oauth2ErrorCodes5.InvalidRequestObject,
+    throw new Oauth2ServerErrorResponseError8({
+      error: Oauth2ErrorCodes7.InvalidRequestObject,
       error_description: 'Jar Request Object is missing the required "client_id" field.'
     });
   }
   if (jarRequestParams.client_id !== authRequestParams.client_id) {
-    throw new Oauth2ServerErrorResponseError6({
-      error: Oauth2ErrorCodes5.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError8({
+      error: Oauth2ErrorCodes7.InvalidRequest,
       error_description: "client_id does not match the request object client_id."
     });
   }
@@ -849,14 +1011,14 @@ async function decryptJarRequest(options) {
   const { jwe, callbacks } = options;
   const { header } = decodeJwt3({ jwt: jwe });
   if (!header.kid) {
-    throw new Oauth2ServerErrorResponseError6({
-      error: Oauth2ErrorCodes5.InvalidRequestObject,
+    throw new Oauth2ServerErrorResponseError8({
+      error: Oauth2ErrorCodes7.InvalidRequestObject,
       error_description: 'Jar JWE is missing the protected header field "kid".'
     });
   }
   const decryptionResult = await callbacks.decryptJwe(jwe);
   if (!decryptionResult.decrypted) {
-    throw new Oauth2ServerErrorResponseError6({
+    throw new Oauth2ServerErrorResponseError8({
       error: "invalid_request_object",
       error_description: "Failed to decrypt jar request object."
     });
@@ -874,21 +1036,28 @@ async function verifyJarRequestObject(options) {
     payload: jwt.payload,
     signer: jwtSigner
   });
+  const version = parseAuthorizationRequestVersion(jwt.payload);
+  if (jwt.header.typ !== "oauth-authz-req+jwt" && version >= 24) {
+    throw new Oauth2ServerErrorResponseError8({
+      error: Oauth2ErrorCodes7.InvalidRequestObject,
+      error_description: `Invalid Jar Request Object typ header. Expected "oauth-authz-req+jwt", received "${jwt.header.typ}".`
+    });
+  }
   return { authRequestParams: jwt.payload, signer };
 }
 
 // src/transaction-data/parse-transaction-data.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes6, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError7 } from "@openid4vc/oauth2";
+import { Oauth2ErrorCodes as Oauth2ErrorCodes8, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError9 } from "@openid4vc/oauth2";
 import { decodeBase64, encodeToUtf8String, parseIfJson } from "@openid4vc/utils";
 
 // src/transaction-data/z-transaction-data.ts
-import { z as z13 } from "zod";
-var zTransactionEntry = z13.object({
-  type: z13.string(),
-  credential_ids: z13.array(z13.string()).min(1),
-  transaction_data_hashes_alg: z13.array(z13.string()).optional()
+import { z as z14 } from "zod";
+var zTransactionEntry = z14.object({
+  type: z14.string(),
+  credential_ids: z14.array(z14.string()).min(1),
+  transaction_data_hashes_alg: z14.array(z14.string()).optional()
 });
-var zTransactionData = z13.array(zTransactionEntry);
+var zTransactionData = z14.array(zTransactionEntry);
 
 // src/transaction-data/parse-transaction-data.ts
 function parseTransactionData(options) {
@@ -896,8 +1065,8 @@ function parseTransactionData(options) {
   const decoded = transactionData.map((tdEntry) => parseIfJson(encodeToUtf8String(decodeBase64(tdEntry))));
   const parsedResult = zTransactionData.safeParse(decoded);
   if (!parsedResult.success) {
-    throw new Oauth2ServerErrorResponseError7({
-      error: Oauth2ErrorCodes6.InvalidTransactionData,
+    throw new Oauth2ServerErrorResponseError9({
+      error: Oauth2ErrorCodes8.InvalidTransactionData,
       error_description: "Failed to parse transaction data."
     });
   }
@@ -906,18 +1075,18 @@ function parseTransactionData(options) {
 
 // src/authorization-request/resolve-authorization-request.ts
 async function resolveOpenid4vpAuthorizationRequest(options) {
-  const { request, wallet, callbacks, origin, omitOriginValidation } = options;
+  const { requestPayload, wallet, callbacks, origin, omitOriginValidation } = options;
   let authRequestPayload;
   const parsed = parseWithErrorHandling4(
-    z14.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthRequest]),
-    request,
+    z15.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthRequest]),
+    requestPayload,
     "Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request."
   );
   let jar;
   if (isJarAuthRequest(parsed)) {
     jar = await verifyJarRequest({ jarRequestParams: parsed, callbacks, wallet });
     const parsedJarAuthRequestPayload = parseWithErrorHandling4(
-      z14.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),
+      z15.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),
       jar.authRequestParams,
       "Invalid authorization request. Could not parse jar request payload as openid4vp auth request."
     );
@@ -937,13 +1106,22 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
       omitOriginValidation
     });
   }
-  const clientMeta = parseClientIdentifier({ request: authRequestPayload, jar, callbacks, origin });
+  let clientMetadata;
+  if (!isOpenid4vpAuthorizationRequestDcApi(authRequestPayload) && authRequestPayload.client_metadata_uri) {
+    clientMetadata = await fetchClientMetadata({ clientMetadataUri: authRequestPayload.client_metadata_uri });
+  }
+  const clientMeta = parseClientIdentifier({
+    request: { ...authRequestPayload, client_metadata: clientMetadata ?? authRequestPayload.client_metadata },
+    jar,
+    callbacks,
+    origin
+  });
   let pex;
   let dcql;
   if (authRequestPayload.presentation_definition || authRequestPayload.presentation_definition_uri) {
     if (authRequestPayload.presentation_definition_uri) {
-      throw new Oauth2ServerErrorResponseError8({
-        error: Oauth2ErrorCodes7.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError10({
+        error: Oauth2ErrorCodes9.InvalidRequest,
         error_description: "Cannot fetch presentation definition from URI. Not supported."
       });
     }
@@ -958,7 +1136,7 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
   const transactionData = authRequestPayload.transaction_data ? parseTransactionData({ transactionData: authRequestPayload.transaction_data }) : void 0;
   return {
     transactionData,
-    payload: authRequestPayload,
+    requestPayload: authRequestPayload,
     jar,
     client: { ...clientMeta },
     pex,
@@ -983,8 +1161,8 @@ function validateOpenId4vpPayload(options) {
 // src/authorization-response/create-authorization-response.ts
 import {
   Oauth2Error as Oauth2Error7,
-  Oauth2ErrorCodes as Oauth2ErrorCodes8,
-  Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError9
+  Oauth2ErrorCodes as Oauth2ErrorCodes10,
+  Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError11
 } from "@openid4vc/oauth2";
 import { dateToSeconds as dateToSeconds2 } from "@openid4vc/utils";
 
@@ -1027,13 +1205,15 @@ function extractJwksFromClientMetadata(clientMetadata) {
   const parsed = zJarmClientMetadataParsed.parse(clientMetadata);
   const encryptionAlg = parsed.client_metadata.authorization_encrypted_response_enc;
   const signingAlg = parsed.client_metadata.authorization_signed_response_alg;
-  const encJwk = clientMetadata.jwks.keys.find((key) => key.use === "enc" && key.alg === encryptionAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "enc");
-  const sigJwk = clientMetadata.jwks.keys.find((key) => key.use === "sig" && key.alg === signingAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "sig");
+  const encJwk = clientMetadata.jwks.keys.find((key) => key.use === "enc" && key.alg === encryptionAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "enc") ?? // fallback, take first key. HAIP does not specify requirement on enc
+  clientMetadata.jwks.keys?.[0];
+  const sigJwk = clientMetadata.jwks.keys.find((key) => key.use === "sig" && key.alg === signingAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "sig") ?? // falback, take first key
+  clientMetadata.jwks.keys?.[0];
   return { encJwk, sigJwk };
 }
 
 // src/jarm/jarm-response-mode.ts
-import { z as z15 } from "zod";
+import { z as z16 } from "zod";
 var jarmResponseMode = [
   "jwt",
   "query.jwt",
@@ -1042,7 +1222,7 @@ var jarmResponseMode = [
   "direct_post.jwt",
   "dc_api.jwt"
 ];
-var zJarmResponseMode = z15.enum(jarmResponseMode);
+var zJarmResponseMode = z16.enum(jarmResponseMode);
 var isJarmResponseMode = (responseMode) => {
   return jarmResponseMode.includes(responseMode);
 };
@@ -1088,55 +1268,55 @@ function jarmAssertMetadataSupported(options) {
 
 // src/authorization-response/create-authorization-response.ts
 async function createOpenid4vpAuthorizationResponse(options) {
-  const { requestParams, responseParams, jarm, callbacks } = options;
-  const openid4vpAuthResponseParams = {
-    ...responseParams,
-    ..."state" in requestParams && { state: requestParams.state }
+  const { requestPayload, jarm, callbacks } = options;
+  const responsePayload = {
+    ...options.responsePayload,
+    ..."state" in requestPayload && { state: requestPayload.state }
   };
-  if (requestParams.response_mode && isJarmResponseMode(requestParams.response_mode) && !jarm) {
+  if (requestPayload.response_mode && isJarmResponseMode(requestPayload.response_mode) && !jarm) {
     throw new Oauth2Error7(
-      `Missing jarm options for creating Jarm response with response mode '${requestParams.response_mode}'`
+      `Missing jarm options for creating Jarm response with response mode '${requestPayload.response_mode}'`
     );
   }
   if (!jarm) {
     return {
-      responseParams: openid4vpAuthResponseParams
+      responsePayload
     };
   }
-  if (!requestParams.client_metadata) {
+  if (!requestPayload.client_metadata) {
     throw new Oauth2Error7("Missing client metadata in the request params to assert Jarm metadata support.");
   }
-  if (!requestParams.client_metadata.jwks) {
-    throw new Oauth2ServerErrorResponseError9({
-      error: Oauth2ErrorCodes8.InvalidRequest,
+  if (!requestPayload.client_metadata.jwks) {
+    throw new Oauth2ServerErrorResponseError11({
+      error: Oauth2ErrorCodes10.InvalidRequest,
       error_description: "Missing JWKS in client metadata. Cannot extract encryption JWK."
     });
   }
   const supportedJarmMetadata = jarmAssertMetadataSupported({
-    clientMetadata: requestParams.client_metadata,
+    clientMetadata: requestPayload.client_metadata,
     serverMetadata: jarm.serverMetadata
   });
   const clientMetaJwks = extractJwksFromClientMetadata({
-    ...requestParams.client_metadata,
-    jwks: requestParams.client_metadata.jwks
+    ...requestPayload.client_metadata,
+    jwks: requestPayload.client_metadata.jwks
   });
   if (!clientMetaJwks?.encJwk) {
-    throw new Oauth2ServerErrorResponseError9({
-      error: Oauth2ErrorCodes8.InvalidRequest,
+    throw new Oauth2ServerErrorResponseError11({
+      error: Oauth2ErrorCodes10.InvalidRequest,
       error_description: "Could not extract encryption JWK from client metadata. Failed to create JARM response."
     });
   }
   let additionalJwtPayload;
   if (jarm?.jwtSigner) {
     if (!jarm.authorizationServer) {
-      throw new Oauth2ServerErrorResponseError9({
-        error: Oauth2ErrorCodes8.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError11({
+        error: Oauth2ErrorCodes10.InvalidRequest,
         error_description: "Missing required iss in JARM configuration for creating OpenID4VP authorization response."
       });
     }
     if (!jarm.audience) {
-      throw new Oauth2ServerErrorResponseError9({
-        error: Oauth2ErrorCodes8.InvalidRequest,
+      throw new Oauth2ServerErrorResponseError11({
+        error: Oauth2ErrorCodes10.InvalidRequest,
         error_description: "Missing required aud in JARM configuration for creating OpenID4VP authorization response."
       });
     }
@@ -1147,18 +1327,18 @@ async function createOpenid4vpAuthorizationResponse(options) {
       // default: 10 minutes
     };
   }
-  const jarmResponseParams = {
-    ...openid4vpAuthResponseParams,
+  const jarmResponsePayload = {
+    ...responsePayload,
     ...additionalJwtPayload
   };
   const result = await createJarmAuthResponse({
-    jarmAuthResponse: jarmResponseParams,
+    jarmAuthResponse: jarmResponsePayload,
     jwtSigner: jarm?.jwtSigner,
     jweEncryptor: jarm?.encryption && (supportedJarmMetadata.type === "encrypt" || supportedJarmMetadata.type === "sign_encrypt") ? {
       method: "jwk",
       publicJwk: clientMetaJwks.encJwk,
       apu: jarm.encryption?.nonce,
-      apv: requestParams.nonce,
+      apv: requestPayload.nonce,
       alg: supportedJarmMetadata.client_metadata.authorization_encrypted_response_alg,
       enc: supportedJarmMetadata.client_metadata.authorization_encrypted_response_enc
     } : void 0,
@@ -1168,19 +1348,19 @@ async function createOpenid4vpAuthorizationResponse(options) {
     }
   });
   return {
-    responseParams: jarmResponseParams,
+    responsePayload: jarmResponsePayload,
     jarm: { responseJwt: result.jarmAuthResponseJwt }
   };
 }
 
 // src/authorization-response/submit-authorization-response.ts
 import { Oauth2Error as Oauth2Error9 } from "@openid4vc/oauth2";
-import { ContentType as ContentType3, defaultFetcher as defaultFetcher2 } from "@openid4vc/utils";
+import { ContentType as ContentType4, defaultFetcher as defaultFetcher2 } from "@openid4vc/utils";
 import { objectToQueryParams as objectToQueryParams3 } from "@openid4vc/utils";
 
 // src/jarm/jarm-auth-response-send.ts
 import { Oauth2Error as Oauth2Error8 } from "@openid4vc/oauth2";
-import { ContentType as ContentType2, URL as URL3, defaultFetcher } from "@openid4vc/utils";
+import { ContentType as ContentType3, URL as URL3, defaultFetcher } from "@openid4vc/utils";
 var jarmAuthResponseSend = (options) => {
   const { authRequest, jarmAuthResponseJwt, callbacks } = options;
   const responseEndpoint = authRequest.response_uri ?? authRequest.redirect_uri;
@@ -1193,7 +1373,7 @@ var jarmAuthResponseSend = (options) => {
 async function handleDirectPostJwt(responseEndpoint, responseJwt, callbacks) {
   const response = await (callbacks.fetch ?? defaultFetcher)(responseEndpoint, {
     method: "POST",
-    headers: { "Content-Type": ContentType2.XWwwFormUrlencoded },
+    headers: { "Content-Type": ContentType3.XWwwFormUrlencoded },
     body: `response=${responseJwt}`
   });
   return {
@@ -1204,11 +1384,11 @@ async function handleDirectPostJwt(responseEndpoint, responseJwt, callbacks) {
 
 // src/authorization-response/submit-authorization-response.ts
 async function submitOpenid4vpAuthorizationResponse(options) {
-  const { request, response, jarm, callbacks } = options;
-  const url = request.response_uri;
+  const { requestPayload, responsePayload, jarm, callbacks } = options;
+  const url = requestPayload.response_uri;
   if (jarm) {
     return jarmAuthResponseSend({
-      authRequest: request,
+      authRequest: requestPayload,
       jarmAuthResponseJwt: jarm.responseJwt,
       callbacks
     });
@@ -1219,12 +1399,12 @@ async function submitOpenid4vpAuthorizationResponse(options) {
     );
   }
   const fetch = callbacks.fetch ?? defaultFetcher2;
-  const encodedResponse = objectToQueryParams3(response);
+  const encodedResponse = objectToQueryParams3(responsePayload);
   const submissionResponse = await fetch(url, {
     method: "POST",
     body: encodedResponse,
     headers: {
-      "Content-Type": ContentType3.XWwwFormUrlencoded
+      "Content-Type": ContentType4.XWwwFormUrlencoded
     }
   });
   return {
@@ -1240,7 +1420,7 @@ import { Oauth2Error as Oauth2Error11 } from "@openid4vc/oauth2";
 import { Oauth2Error as Oauth2Error10, decodeJwt as decodeJwt4 } from "@openid4vc/oauth2";
 import { zCompactJwt as zCompactJwt3 } from "@openid4vc/oauth2";
 import { isObject, parseIfJson as parseIfJson2, parseWithErrorHandling as parseWithErrorHandling5 } from "@openid4vc/utils";
-import { z as z16 } from "zod";
+import { z as z17 } from "zod";
 function parsePresentationsFromVpToken(options) {
   const { vpToken: _vpToken } = options;
   const vpToken = parseIfJson2(_vpToken);
@@ -1260,7 +1440,7 @@ function parsePresentationsFromVpToken(options) {
 function parseDcqlPresentationFromVpToken(options) {
   const { vpToken: _vpToken } = options;
   const vpToken = parseIfJson2(_vpToken);
-  const parsed = parseWithErrorHandling5(z16.object({}).passthrough(), vpToken);
+  const parsed = parseWithErrorHandling5(z17.object({}).passthrough(), vpToken);
   const dcqlPresentationRecord = Object.fromEntries(
     Object.entries(parsed).map(([key, value]) => {
       return [key, parseSinglePresentationFromVpToken({ vpToken: value })];
@@ -1271,11 +1451,11 @@ function parseDcqlPresentationFromVpToken(options) {
 function parseSinglePresentationFromVpToken(options) {
   const { vpToken: _vpToken, path } = options;
   const vpToken = parseIfJson2(_vpToken);
-  const zLdpVpProof = z16.object({ challenge: z16.string().optional() }).passthrough();
-  const ldpVpParseResult = z16.object({
-    "@context": z16.string().optional(),
-    verifiableCredential: z16.string().optional(),
-    proof: z16.union([zLdpVpProof, z16.array(zLdpVpProof)]).optional()
+  const zLdpVpProof = z17.object({ challenge: z17.string().optional() }).passthrough();
+  const ldpVpParseResult = z17.object({
+    "@context": z17.string().optional(),
+    verifiableCredential: z17.string().optional(),
+    proof: z17.union([zLdpVpProof, z17.array(zLdpVpProof)]).optional()
   }).passthrough().safeParse(vpToken);
   if (ldpVpParseResult.success && (ldpVpParseResult.data["@context"] || ldpVpParseResult.data.verifiableCredential)) {
     const challenge = Array.isArray(ldpVpParseResult.data.proof) ? ldpVpParseResult.data.proof.map((proof) => proof.challenge) : ldpVpParseResult.data.proof?.challenge;
@@ -1352,61 +1532,61 @@ function parseSinglePresentationFromVpToken(options) {
 
 // src/authorization-response/validate-authorization-response.ts
 function validateOpenid4vpAuthorizationResponse(options) {
-  const { authorizationRequest, authorizationResponse } = options;
-  if (!authorizationResponse.vp_token) {
+  const { requestPayload, responsePayload } = options;
+  if (!responsePayload.vp_token) {
     throw new Oauth2Error11("Failed to verify OpenId4Vp Authorization Response. vp_token is missing.");
   }
-  if ("state" in authorizationRequest && authorizationRequest.state !== authorizationResponse.state) {
+  if ("state" in requestPayload && requestPayload.state !== responsePayload.state) {
     throw new Oauth2Error11("OpenId4Vp Authorization Response state mismatch.");
   }
-  if (authorizationResponse.id_token) {
+  if (responsePayload.id_token) {
     throw new Oauth2Error11("OpenId4Vp Authorization Response id_token is not supported.");
   }
-  if (authorizationResponse.presentation_submission) {
-    if (!authorizationRequest.presentation_definition) {
+  if (responsePayload.presentation_submission) {
+    if (!requestPayload.presentation_definition) {
       throw new Oauth2Error11("OpenId4Vp Authorization Request is missing the required presentation_definition.");
     }
-    const presentations = parsePresentationsFromVpToken({ vpToken: authorizationResponse.vp_token });
-    if (presentations.every((p) => p.nonce) && !presentations.every((p) => p.nonce === authorizationRequest.nonce)) {
+    const presentations = parsePresentationsFromVpToken({ vpToken: responsePayload.vp_token });
+    if (presentations.every((p) => p.nonce) && !presentations.every((p) => p.nonce === requestPayload.nonce)) {
       throw new Oauth2Error11(
         "Presentation nonce mismatch. The nonce of some presentations does not match the nonce of the request."
       );
     }
     return {
       type: "pex",
-      pex: "scope" in authorizationRequest && authorizationRequest.scope ? {
-        scope: authorizationRequest.scope,
-        presentationSubmission: authorizationResponse.presentation_submission,
+      pex: "scope" in requestPayload && requestPayload.scope ? {
+        scope: requestPayload.scope,
+        presentationSubmission: responsePayload.presentation_submission,
         presentations
       } : {
-        presentationDefinition: authorizationRequest.presentation_definition,
-        presentationSubmission: authorizationResponse.presentation_submission,
+        presentationDefinition: requestPayload.presentation_definition,
+        presentationSubmission: responsePayload.presentation_submission,
         presentations
       }
     };
   }
-  if (authorizationRequest.dcql_query) {
-    if (Array.isArray(authorizationResponse.vp_token)) {
+  if (requestPayload.dcql_query) {
+    if (Array.isArray(responsePayload.vp_token)) {
       throw new Oauth2Error11(
         "The OpenId4Vp Authorization Response contains multiple vp_token values. In combination with dcql this is not possible."
       );
     }
-    if (typeof authorizationResponse.vp_token !== "string" && typeof authorizationResponse.vp_token !== "object") {
+    if (typeof responsePayload.vp_token !== "string" && typeof responsePayload.vp_token !== "object") {
       throw new Oauth2Error11("With DCQL the vp_token must be a JSON-encoded object.");
     }
-    const presentation = parseDcqlPresentationFromVpToken({ vpToken: authorizationResponse.vp_token });
-    if (Object.values(presentation).every((p) => p.nonce) && !Object.values(presentation).every((p) => p.nonce === authorizationRequest.nonce)) {
+    const presentation = parseDcqlPresentationFromVpToken({ vpToken: responsePayload.vp_token });
+    if (Object.values(presentation).every((p) => p.nonce) && !Object.values(presentation).every((p) => p.nonce === requestPayload.nonce)) {
       throw new Oauth2Error11(
         "Presentation nonce mismatch. The nonce of some presentations does not match the nonce of the request."
       );
     }
     return {
       type: "dcql",
-      dcql: "scope" in authorizationRequest && authorizationRequest.scope ? {
-        scope: authorizationRequest.scope,
+      dcql: "scope" in requestPayload && requestPayload.scope ? {
+        scope: requestPayload.scope,
         presentation
       } : {
-        query: authorizationRequest.dcql_query,
+        query: requestPayload.dcql_query,
         presentation
       }
     };
@@ -1417,28 +1597,28 @@ function validateOpenid4vpAuthorizationResponse(options) {
 }
 
 // src/authorization-response/parse-authorization-response.ts
-import { Oauth2Error as Oauth2Error13, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError10 } from "@openid4vc/oauth2";
+import { Oauth2Error as Oauth2Error13, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError12 } from "@openid4vc/oauth2";
 
 // src/authorization-response/parse-authorization-response-payload.ts
 import { parseWithErrorHandling as parseWithErrorHandling6 } from "@openid4vc/utils";
 
 // src/authorization-response/z-authorization-response.ts
-import { z as z18 } from "zod";
+import { z as z19 } from "zod";
 
 // src/vp-token/z-vp-token.ts
-import { z as z17 } from "zod";
-var zVpToken = z17.union([z17.string(), z17.array(z17.union([z17.string(), z17.record(z17.any())])), z17.record(z17.any())]);
+import { z as z18 } from "zod";
+var zVpToken = z18.union([z18.string(), z18.array(z18.union([z18.string(), z18.record(z18.any())])), z18.record(z18.any())]);
 
 // src/authorization-response/z-authorization-response.ts
-var zOpenid4vpAuthorizationResponse = z18.object({
-  state: z18.string().optional(),
-  id_token: z18.string().optional(),
+var zOpenid4vpAuthorizationResponse = z19.object({
+  state: z19.string().optional(),
+  id_token: z19.string().optional(),
   vp_token: zVpToken,
-  presentation_submission: z18.unknown().optional(),
-  refresh_token: z18.string().optional(),
-  token_type: z18.string().optional(),
-  access_token: z18.string().optional(),
-  expires_in: z18.number().optional()
+  presentation_submission: z19.unknown().optional(),
+  refresh_token: z19.string().optional(),
+  token_type: z19.string().optional(),
+  access_token: z19.string().optional(),
+  expires_in: z19.number().optional()
 }).passthrough();
 
 // src/authorization-response/parse-authorization-response-payload.ts
@@ -1459,16 +1639,16 @@ import {
   zJwtHeader as zJwtHeader2
 } from "@openid4vc/oauth2";
 import { decodeBase64 as decodeBase642, encodeToUtf8String as encodeToUtf8String2, parseWithErrorHandling as parseWithErrorHandling7 } from "@openid4vc/utils";
-import z19 from "zod";
+import z20 from "zod";
 async function parseJarmAuthorizationResponse(options) {
   const { jarmResponseJwt, callbacks } = options;
   const jarmAuthorizationResponseJwt = parseWithErrorHandling7(
-    z19.union([zCompactJwt4, zCompactJwe3]),
+    z20.union([zCompactJwt4, zCompactJwe3]),
     jarmResponseJwt,
     "Invalid jarm authorization response jwt."
   );
   const verifiedJarmResponse = await verifyJarmAuthorizationResponse({ jarmAuthorizationResponseJwt, callbacks });
-  const zJarmHeader = z19.object({ ...zJwtHeader2.shape, apu: z19.string().optional(), apv: z19.string().optional() });
+  const zJarmHeader = z20.object({ ...zJwtHeader2.shape, apu: z20.string().optional(), apv: z20.string().optional() });
   const { header: jarmHeader } = decodeJwtHeader2({
     jwt: jarmAuthorizationResponseJwt,
     headerSchema: zJarmHeader
@@ -1481,8 +1661,8 @@ async function parseJarmAuthorizationResponse(options) {
   }
   const authResponsePayload = parseOpenid4VpAuthorizationResponsePayload(verifiedJarmResponse.jarmAuthResponse);
   const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponse({
-    authorizationRequest: parsedAuthorizationRequest.params,
-    authorizationResponse: authResponsePayload
+    requestPayload: parsedAuthorizationRequest.params,
+    responsePayload: authResponsePayload
   });
   const authRequestPayload = parsedAuthorizationRequest.params;
   if (!authRequestPayload.response_mode || !isJarmResponseMode(authRequestPayload.response_mode)) {
@@ -1522,11 +1702,11 @@ async function parseOpenid4vpAuthorizationResponse(options) {
   }
   const authRequestPayload = parsedAuthRequest.params;
   const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponse({
-    authorizationRequest: authRequestPayload,
-    authorizationResponse: authResponsePayload
+    requestPayload: authRequestPayload,
+    responsePayload: authResponsePayload
   });
   if (authRequestPayload.response_mode && isJarmResponseMode(authRequestPayload.response_mode)) {
-    throw new Oauth2ServerErrorResponseError10(
+    throw new Oauth2ServerErrorResponseError12(
       {
         error: "invalid_request",
         error_description: "Invalid response mode for openid4vp response. Expected jarm response."
@@ -1589,23 +1769,12 @@ var Openid4vpVerifier = class {
 };
 
 // src/models/z-credential-formats.ts
-import { z as z20 } from "zod";
-var zCredentialFormat = z20.enum(["jwt_vc_json", "ldp_vc", "ac_vc", "mso_mdoc", "dc+sd-jwt"]);
-
-// src/models/z-proof-formats.ts
 import { z as z21 } from "zod";
-var zProofFormat = z21.enum(["jwt_vp_json", "ldc_vp", "ac_vp", "dc+sd-jwt", "mso_mdoc"]);
+var zCredentialFormat = z21.enum(["jwt_vc_json", "ldp_vc", "ac_vc", "mso_mdoc", "dc+sd-jwt", "vc+sd-jwt"]);
 
-// src/models/z-wallet-metadata.ts
+// src/models/z-proof-formats.ts
 import { z as z22 } from "zod";
-var zWalletMetadata = z22.object({
-  presentation_definition_uri_supported: z22.optional(z22.boolean()),
-  vp_formats_supported: zVpFormatsSupported,
-  client_id_schemes_supported: z22.optional(z22.array(zClientIdScheme)),
-  request_object_signing_alg_values_supported: z22.optional(z22.array(z22.string())),
-  authorization_encryption_alg_values_supported: z22.optional(z22.array(z22.string())),
-  authorization_encryption_enc_values_supported: z22.optional(z22.array(z22.string()))
-});
+var zProofFormat = z22.enum(["jwt_vp_json", "ldc_vp", "ac_vp", "dc+sd-jwt", "vc+sd-jwt", "mso_mdoc"]);
 export {
   Openid4vpClient,
   Openid4vpVerifier,