npm - @openid4vc/openid4vp - Versions diffs - 0.3.0-alpha-20250307131618 → 0.3.0-alpha-20250315153009 - Mend

@openid4vc/openid4vp 0.3.0-alpha-20250307131618 → 0.3.0-alpha-20250315153009

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -70,132 +70,41 @@ var zClientIdScheme = import_zod.z.enum([
   "web-origin"
 ]);
-// src/jarm/jarm-auth-response/verify-jarm-auth-response.ts
-var import_oauth23 = require("@openid4vc/oauth2");
-var import_zod3 = __toESM(require("zod"));
-// src/jarm/jarm-auth-response/jarm-validate-auth-response.ts
-var import_oauth22 = require("@openid4vc/oauth2");
-var import_utils = require("@openid4vc/utils");
+// src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
+var import_oauth24 = require("@openid4vc/oauth2");
+var import_zod4 = __toESM(require("zod"));
-// src/jarm/jarm-auth-response/z-jarm-auth-response.ts
+// src/jarm/metadata/z-jarm-client-metadata.ts
 var import_oauth2 = require("@openid4vc/oauth2");
+var import_utils = require("@openid4vc/utils");
 var import_zod2 = require("zod");
-var zJarmHeader = import_zod2.z.object({ ...import_oauth2.zJwtHeader.shape, apu: import_zod2.z.string().optional(), apv: import_zod2.z.string().optional() });
-var zJarmAuthResponse = import_zod2.z.object({
-  /**
-   * iss: The issuer URL of the authorization server that created the response
-   * aud: The client_id of the client the response is intended for
-   * exp: The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.
-   */
-  ...import_oauth2.zJwtPayload.shape,
-  ...import_oauth2.zJwtPayload.pick({ iss: true, aud: true, exp: true }).required().shape,
-  state: import_zod2.z.optional(import_zod2.z.string())
-}).passthrough();
-var zJarmAuthResponseEncryptedOnly = import_zod2.z.object({
-  ...import_oauth2.zJwtPayload.shape,
-  state: import_zod2.z.optional(import_zod2.z.string())
-}).passthrough();
-// src/jarm/jarm-auth-response/jarm-validate-auth-response.ts
-var jarmAuthResponseValidate = (options) => {
-  const { clientId, authorizationResponse } = options;
-  if (!zJarmAuthResponse.safeParse(authorizationResponse).success) {
-    return;
-  }
-  if (clientId !== authorizationResponse.aud) {
-    throw new import_oauth22.Oauth2Error(
-      `Invalid 'aud' claim in JARM authorization response. Expected '${clientId}' received '${JSON.stringify(authorizationResponse.aud)}'.`
-    );
-  }
-  if (authorizationResponse.exp !== void 0 && authorizationResponse.exp < (0, import_utils.dateToSeconds)()) {
-    throw new import_oauth22.Oauth2Error("Jarm auth response is expired.");
-  }
-};
-// src/jarm/jarm-auth-response/verify-jarm-auth-response.ts
-var decryptJarmRequestData = async (options) => {
-  const { requestData, callbacks } = options;
-  const { header } = (0, import_oauth23.decodeJwtHeader)({ jwt: requestData });
-  if (!header.kid) {
-    throw new import_oauth23.Oauth2Error('Jarm JWE is missing the protected header field "kid".');
-  }
-  const result = await callbacks.decryptJwe(requestData);
-  if (!result.decrypted) {
-    throw new import_oauth23.Oauth2Error("Failed to decrypt jarm auth response.");
-  }
-  return result.payload;
-};
-async function verifyJarmAuthorizationResponse(options) {
-  const { jarmAuthorizationResponseJwt, callbacks } = options;
-  const requestDataIsEncrypted = import_oauth23.zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success;
-  const decryptedRequestData = requestDataIsEncrypted ? await decryptJarmRequestData({ requestData: jarmAuthorizationResponseJwt, callbacks }) : jarmAuthorizationResponseJwt;
-  const responseIsSigned = import_oauth23.zCompactJwt.safeParse(decryptedRequestData).success;
-  if (!requestDataIsEncrypted && !responseIsSigned) {
-    throw new import_oauth23.Oauth2Error("Jarm Auth Response must be either encrypted, signed, or signed and encrypted.");
-  }
-  let jarmAuthResponse;
-  if (responseIsSigned) {
-    const { header: jwsProtectedHeader, payload: jwsPayload } = (0, import_oauth23.decodeJwt)({
-      jwt: decryptedRequestData,
-      headerSchema: import_zod3.default.object({ ...import_oauth23.zJwtHeader.shape, kid: import_zod3.default.string() })
-    });
-    const response = zJarmAuthResponse.parse(jwsPayload);
-    const jwtSigner = (0, import_oauth23.jwtSignerFromJwt)({ header: jwsProtectedHeader, payload: jwsPayload });
-    const verificationResult = await options.callbacks.verifyJwt(jwtSigner, {
-      compact: decryptedRequestData,
-      header: jwsProtectedHeader,
-      payload: jwsPayload
-    });
-    if (!verificationResult.verified) {
-      throw new import_oauth23.Oauth2Error("Jarm Auth Response is not valid.");
-    }
-    jarmAuthResponse = response;
-  } else {
-    const jsonRequestData = JSON.parse(decryptedRequestData);
-    jarmAuthResponse = zJarmAuthResponseEncryptedOnly.parse(jsonRequestData);
-  }
-  const { authorizationRequest } = await callbacks.getOpenid4vpAuthorizationRequest(jarmAuthResponse);
-  jarmAuthResponseValidate({
-    clientId: authorizationRequest.client_id,
-    authorizationResponse: jarmAuthResponse
-  });
-  const type = requestDataIsEncrypted && responseIsSigned ? "SignedEncrypted" /* SignedEncrypted */ : requestDataIsEncrypted ? "Encrypted" /* Encrypted */ : "Signed" /* Signed */;
-  const issuer = jarmAuthResponse.iss;
-  return { authorizationRequest, jarmAuthResponse, type, issuer };
-}
-// src/jarm/metadata/z-jarm-client-metadata.ts
-var import_oauth24 = require("@openid4vc/oauth2");
-var import_utils2 = require("@openid4vc/utils");
-var import_zod4 = require("zod");
-var zJarmSignOnlyClientMetadata = import_zod4.z.object({
-  authorization_signed_response_alg: import_oauth24.zAlgValueNotNone,
-  authorization_encrypted_response_alg: import_zod4.z.optional(import_zod4.z.never()),
-  authorization_encrypted_response_enc: import_zod4.z.optional(import_zod4.z.never())
+var zJarmSignOnlyClientMetadata = import_zod2.z.object({
+  authorization_signed_response_alg: import_oauth2.zAlgValueNotNone,
+  authorization_encrypted_response_alg: import_zod2.z.optional(import_zod2.z.never()),
+  authorization_encrypted_response_enc: import_zod2.z.optional(import_zod2.z.never())
 });
-var zJarmEncryptOnlyClientMetadata = import_zod4.z.object({
-  authorization_signed_response_alg: import_zod4.z.optional(import_zod4.z.never()),
-  authorization_encrypted_response_alg: import_zod4.z.string(),
-  authorization_encrypted_response_enc: import_zod4.z.optional(import_zod4.z.string())
+var zJarmEncryptOnlyClientMetadata = import_zod2.z.object({
+  authorization_signed_response_alg: import_zod2.z.optional(import_zod2.z.never()),
+  authorization_encrypted_response_alg: import_zod2.z.string(),
+  authorization_encrypted_response_enc: import_zod2.z.optional(import_zod2.z.string())
 });
-var zJarmSignEncryptClientMetadata = import_zod4.z.object({
+var zJarmSignEncryptClientMetadata = import_zod2.z.object({
   authorization_signed_response_alg: zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg,
   authorization_encrypted_response_alg: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg,
   authorization_encrypted_response_enc: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc
 });
-var zJarmClientMetadata = import_zod4.z.object({
-  authorization_signed_response_alg: import_zod4.z.optional(zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg),
-  authorization_encrypted_response_alg: import_zod4.z.optional(
+var zJarmClientMetadata = import_zod2.z.object({
+  authorization_signed_response_alg: import_zod2.z.optional(zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg),
+  authorization_encrypted_response_alg: import_zod2.z.optional(
     zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg
   ),
-  authorization_encrypted_response_enc: import_zod4.z.optional(
+  authorization_encrypted_response_enc: import_zod2.z.optional(
     zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc
   )
 });
 var zJarmClientMetadataParsed = zJarmClientMetadata.transform((client_metadata) => {
-  const parsedClientMeta = (0, import_utils2.parseWithErrorHandling)(
-    import_zod4.z.union([zJarmEncryptOnlyClientMetadata, zJarmSignOnlyClientMetadata, zJarmSignEncryptClientMetadata]),
+  const parsedClientMeta = (0, import_utils.parseWithErrorHandling)(
+    import_zod2.z.union([zJarmEncryptOnlyClientMetadata, zJarmSignOnlyClientMetadata, zJarmSignEncryptClientMetadata]),
     client_metadata,
     "Invalid jarm client metadata."
   );
@@ -229,32 +138,138 @@ var zJarmClientMetadataParsed = zJarmClientMetadata.transform((client_metadata)
       }
     };
   }
-  throw new import_oauth24.Oauth2Error("Invalid jarm client metadata. Failed to parse.");
+  throw new import_oauth2.Oauth2Error("Invalid jarm client metadata. Failed to parse.");
 });
+// src/jarm/jarm-extract-jwks.ts
+function extractJwksFromClientMetadata(clientMetadata) {
+  const parsed = zJarmClientMetadataParsed.parse(clientMetadata);
+  const encryptionAlg = parsed.client_metadata.authorization_encrypted_response_enc;
+  const signingAlg = parsed.client_metadata.authorization_signed_response_alg;
+  const encJwk = clientMetadata.jwks.keys.find((key) => key.use === "enc" && key.alg === encryptionAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "enc") ?? // fallback, take first key. HAIP does not specify requirement on enc
+  clientMetadata.jwks.keys?.[0];
+  const sigJwk = clientMetadata.jwks.keys.find((key) => key.use === "sig" && key.alg === signingAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "sig") ?? // falback, take first key
+  clientMetadata.jwks.keys?.[0];
+  return { encJwk, sigJwk };
+}
+// src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
+var import_oauth23 = require("@openid4vc/oauth2");
+var import_utils2 = require("@openid4vc/utils");
+// src/jarm/jarm-authorization-response/z-jarm-authorization-response.ts
+var import_oauth22 = require("@openid4vc/oauth2");
+var import_zod3 = require("zod");
+var zJarmHeader = import_zod3.z.object({ ...import_oauth22.zJwtHeader.shape, apu: import_zod3.z.string().optional(), apv: import_zod3.z.string().optional() });
+var zJarmAuthorizationResponse = import_zod3.z.object({
+  /**
+   * iss: The issuer URL of the authorization server that created the response
+   * aud: The client_id of the client the response is intended for
+   * exp: The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.
+   */
+  ...import_oauth22.zJwtPayload.shape,
+  ...import_oauth22.zJwtPayload.pick({ iss: true, aud: true, exp: true }).required().shape,
+  state: import_zod3.z.optional(import_zod3.z.string())
+}).passthrough();
+var zJarmAuthorizationResponseEncryptedOnly = import_zod3.z.object({
+  ...import_oauth22.zJwtPayload.shape,
+  state: import_zod3.z.optional(import_zod3.z.string())
+}).passthrough();
+// src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
+var jarmAuthorizationResponseValidate = (options) => {
+  const { expectedClientId, authorizationResponse } = options;
+  if (!zJarmAuthorizationResponse.safeParse(authorizationResponse).success) {
+    return;
+  }
+  if (expectedClientId !== authorizationResponse.aud) {
+    throw new import_oauth23.Oauth2Error(
+      `Invalid 'aud' claim in JARM authorization response. Expected '${expectedClientId}' received '${JSON.stringify(authorizationResponse.aud)}'.`
+    );
+  }
+  if (authorizationResponse.exp !== void 0 && authorizationResponse.exp < (0, import_utils2.dateToSeconds)()) {
+    throw new import_oauth23.Oauth2Error("Jarm auth response is expired.");
+  }
+};
+// src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
+var decryptJarmAuthorizationResponseJwt = async (options) => {
+  const { jarmAuthorizationResponseJwt, callbacks, authorizationRequestPayload } = options;
+  const encryptionJwk = authorizationRequestPayload.client_metadata?.jwks ? extractJwksFromClientMetadata({
+    ...authorizationRequestPayload.client_metadata,
+    jwks: authorizationRequestPayload.client_metadata.jwks
+  }).encJwk : void 0;
+  const result = await callbacks.decryptJwe(jarmAuthorizationResponseJwt, { jwk: encryptionJwk });
+  if (!result.decrypted) {
+    throw new import_oauth24.Oauth2Error("Failed to decrypt jarm auth response.");
+  }
+  return result.payload;
+};
+async function verifyJarmAuthorizationResponse(options) {
+  const { jarmAuthorizationResponseJwt, callbacks, expectedClientId, authorizationRequestPayload } = options;
+  const requestDataIsEncrypted = import_oauth24.zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success;
+  const decryptedRequestData = requestDataIsEncrypted ? await decryptJarmAuthorizationResponseJwt({
+    jarmAuthorizationResponseJwt,
+    callbacks,
+    authorizationRequestPayload
+  }) : jarmAuthorizationResponseJwt;
+  const responseIsSigned = import_oauth24.zCompactJwt.safeParse(decryptedRequestData).success;
+  if (!requestDataIsEncrypted && !responseIsSigned) {
+    throw new import_oauth24.Oauth2Error("Jarm Auth Response must be either encrypted, signed, or signed and encrypted.");
+  }
+  let jarmAuthorizationResponse;
+  if (responseIsSigned) {
+    const { header: jwsProtectedHeader, payload: jwsPayload } = (0, import_oauth24.decodeJwt)({
+      jwt: decryptedRequestData,
+      headerSchema: import_zod4.default.object({ ...import_oauth24.zJwtHeader.shape, kid: import_zod4.default.string() })
+    });
+    const response = zJarmAuthorizationResponse.parse(jwsPayload);
+    const jwtSigner = (0, import_oauth24.jwtSignerFromJwt)({ header: jwsProtectedHeader, payload: jwsPayload });
+    const verificationResult = await options.callbacks.verifyJwt(jwtSigner, {
+      compact: decryptedRequestData,
+      header: jwsProtectedHeader,
+      payload: jwsPayload
+    });
+    if (!verificationResult.verified) {
+      throw new import_oauth24.Oauth2Error("Jarm Auth Response is not valid.");
+    }
+    jarmAuthorizationResponse = response;
+  } else {
+    const jsonRequestData = JSON.parse(decryptedRequestData);
+    jarmAuthorizationResponse = zJarmAuthorizationResponseEncryptedOnly.parse(jsonRequestData);
+  }
+  jarmAuthorizationResponseValidate({
+    expectedClientId,
+    authorizationResponse: jarmAuthorizationResponse
+  });
+  const type = requestDataIsEncrypted && responseIsSigned ? "SignedEncrypted" /* SignedEncrypted */ : requestDataIsEncrypted ? "Encrypted" /* Encrypted */ : "Signed" /* Signed */;
+  const issuer = jarmAuthorizationResponse.iss;
+  return { jarmAuthorizationResponse, type, issuer };
+}
 // src/authorization-request/create-authorization-request.ts
 var import_oauth29 = require("@openid4vc/oauth2");
 var import_utils6 = require("@openid4vc/utils");
-// src/jar/create-jar-auth-request.ts
+// src/jar/create-jar-authorization-request.ts
 var import_oauth25 = require("@openid4vc/oauth2");
-async function createJarAuthRequest(options) {
-  const { jwtSigner, jweEncryptor, authRequestParams, requestUri, callbacks } = options;
-  let requestObjectJwt;
+async function createJarAuthorizationRequest(options) {
+  const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options;
+  let authorizationRequestJwt;
   let encryptionJwk;
   const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {
     header: { ...(0, import_oauth25.jwtHeaderFromJwtSigner)(jwtSigner), typ: "oauth-authz-req+jwt" },
-    payload: { ...options.additionalJwtPayload, ...authRequestParams }
+    payload: { ...options.additionalJwtPayload, ...authorizationRequestPayload }
   });
-  requestObjectJwt = jwt;
+  authorizationRequestJwt = jwt;
   if (jweEncryptor) {
-    const encryptionResult = await callbacks.encryptJwe(jweEncryptor, requestObjectJwt);
-    requestObjectJwt = encryptionResult.jwe;
+    const encryptionResult = await callbacks.encryptJwe(jweEncryptor, authorizationRequestJwt);
+    authorizationRequestJwt = encryptionResult.jwe;
     encryptionJwk = encryptionResult.encryptionJwk;
   }
-  const client_id = authRequestParams.client_id;
-  const requestParams = requestUri ? { client_id, request_uri: requestUri } : { client_id, request: requestObjectJwt };
-  return { requestParams, signerJwk, encryptionJwk, requestObjectJwt };
+  const client_id = authorizationRequestPayload.client_id;
+  const jarAuthorizationRequest = requestUri ? { client_id, request_uri: requestUri } : { client_id, request: authorizationRequestJwt };
+  return { jarAuthorizationRequest, signerJwk, encryptionJwk, authorizationRequestJwt };
 }
 // src/authorization-request/validate-authorization-request.ts
@@ -323,20 +338,20 @@ var validateOpenid4vpAuthorizationRequestPayload = (options) => {
 // src/authorization-request/validate-authorization-request-dc-api.ts
 var import_oauth27 = require("@openid4vc/oauth2");
 var validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
-  const { params, isJarRequest, omitOriginValidation, origin } = options;
+  const { params, isJarRequest, disableOriginValidation, origin } = options;
   if (isJarRequest && !params.expected_origins) {
     throw new import_oauth27.Oauth2ServerErrorResponseError({
       error: import_oauth27.Oauth2ErrorCodes.InvalidRequest,
       error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`
     });
   }
-  if ([params.presentation_definition, params.dcql_query].filter(Boolean).length > 1) {
+  if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) {
     throw new import_oauth27.Oauth2ServerErrorResponseError({
       error: import_oauth27.Oauth2ErrorCodes.InvalidRequest,
-      error_description: "Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition."
+      error_description: "Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition"
     });
   }
-  if (params.expected_origins && !omitOriginValidation) {
+  if (params.expected_origins && !disableOriginValidation) {
     if (!origin) {
       throw new import_oauth27.Oauth2ServerErrorResponseError({
         error: import_oauth27.Oauth2ErrorCodes.InvalidRequest,
@@ -420,7 +435,8 @@ var zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest.pick({
   presentation_definition: true,
   client_metadata: true,
   transaction_data: true,
-  dcql_query: true
+  dcql_query: true,
+  trust_chain: true
 }).extend({
   client_id: import_zod8.z.optional(import_zod8.z.string()),
   expected_origins: import_zod8.z.array(import_zod8.z.string()).optional(),
@@ -441,64 +457,67 @@ function isOpenid4vpAuthorizationRequestDcApi(request) {
 // src/authorization-request/create-authorization-request.ts
 async function createOpenid4vpAuthorizationRequest(options) {
-  const { jar, scheme = "openid4vp://", requestPayload, wallet, callbacks } = options;
+  const { jar, scheme = "openid4vp://", wallet, callbacks } = options;
   let additionalJwtPayload;
-  let authRequestParams;
-  if (isOpenid4vpAuthorizationRequestDcApi(requestPayload)) {
-    authRequestParams = (0, import_utils6.parseWithErrorHandling)(
+  let authorizationRequestPayload;
+  if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
+    authorizationRequestPayload = (0, import_utils6.parseWithErrorHandling)(
       zOpenid4vpAuthorizationRequestDcApi,
-      requestPayload,
+      options.authorizationRequestPayload,
       "Invalid authorization request. Could not parse openid4vp dc_api authorization request."
     );
-    if (jar && !authRequestParams.expected_origins) {
+    if (jar && !authorizationRequestPayload.expected_origins) {
       throw new import_oauth29.Oauth2Error(
         `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`
       );
     }
     validateOpenid4vpAuthorizationRequestDcApiPayload({
-      params: authRequestParams,
+      params: authorizationRequestPayload,
       isJarRequest: Boolean(jar),
-      omitOriginValidation: true
+      disableOriginValidation: true
     });
   } else {
-    authRequestParams = (0, import_utils6.parseWithErrorHandling)(
+    authorizationRequestPayload = (0, import_utils6.parseWithErrorHandling)(
       zOpenid4vpAuthorizationRequest,
-      requestPayload,
+      options.authorizationRequestPayload,
       "Invalid authorization request. Could not parse openid4vp authorization request."
     );
-    validateOpenid4vpAuthorizationRequestPayload({ params: authRequestParams, walletVerificationOptions: wallet });
+    validateOpenid4vpAuthorizationRequestPayload({
+      params: authorizationRequestPayload,
+      walletVerificationOptions: wallet
+    });
   }
   if (jar) {
     if (!jar.additionalJwtPayload?.aud) {
       additionalJwtPayload = { ...jar.additionalJwtPayload, aud: jar.requestUri };
     }
-  }
-  if (jar) {
-    const jarResult = await createJarAuthRequest({
+    const jarResult = await createJarAuthorizationRequest({
       ...jar,
-      authRequestParams: requestPayload,
+      authorizationRequestPayload,
       additionalJwtPayload,
       callbacks
     });
     const url2 = new import_utils6.URL(scheme);
     url2.search = `?${new import_utils6.URLSearchParams([
       ...url2.searchParams.entries(),
-      ...(0, import_utils6.objectToQueryParams)(jarResult.requestParams).entries()
+      ...(0, import_utils6.objectToQueryParams)(jarResult.jarAuthorizationRequest).entries()
     ]).toString()}`;
     return {
-      authRequestObject: jarResult.requestParams,
-      authRequest: url2.toString(),
+      authorizationRequestPayload,
+      authorizationRequestObject: jarResult.jarAuthorizationRequest,
+      authorizationRequest: url2.toString(),
       jar: { ...jar, ...jarResult }
     };
   }
   const url = new import_utils6.URL(scheme);
   url.search = `?${new import_utils6.URLSearchParams([
     ...url.searchParams.entries(),
-    ...(0, import_utils6.objectToQueryParams)(requestPayload).entries()
+    ...(0, import_utils6.objectToQueryParams)(authorizationRequestPayload).entries()
   ]).toString()}`;
   return {
-    authRequestObject: requestPayload,
-    authRequest: url.toString(),
+    authorizationRequestPayload,
+    authorizationRequestObject: authorizationRequestPayload,
+    authorizationRequest: url.toString(),
     jar: void 0
   };
 }
@@ -509,11 +528,11 @@ var import_utils8 = require("@openid4vc/utils");
 var import_utils9 = require("@openid4vc/utils");
 var import_zod10 = __toESM(require("zod"));
-// src/jar/z-jar-auth-request.ts
+// src/jar/z-jar-authorization-request.ts
 var import_oauth210 = require("@openid4vc/oauth2");
 var import_utils7 = require("@openid4vc/utils");
 var import_zod9 = require("zod");
-var zJarAuthRequest = import_zod9.z.object({
+var zJarAuthorizationRequest = import_zod9.z.object({
   request: import_zod9.z.optional(import_zod9.z.string()),
   request_uri: import_zod9.z.optional(import_utils7.zHttpsUrl),
   request_uri_method: import_zod9.z.optional(import_zod9.z.string()),
@@ -535,7 +554,7 @@ function validateJarRequestParams(options) {
   }
   return jarRequestParams;
 }
-function isJarAuthRequest(request) {
+function isJarAuthorizationRequest(request) {
   return "request" in request || "request_uri" in request;
 }
@@ -558,10 +577,10 @@ function parseOpenid4vpAuthorizationRequestPayload(options) {
     params = authorizationRequest;
   }
   const parsedRequest = (0, import_utils9.parseWithErrorHandling)(
-    import_zod10.default.union([zOpenid4vpAuthorizationRequest, zJarAuthRequest, zOpenid4vpAuthorizationRequestDcApi]),
+    import_zod10.default.union([zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest, zOpenid4vpAuthorizationRequestDcApi]),
     params
   );
-  if (isJarAuthRequest(parsedRequest)) {
+  if (isJarAuthorizationRequest(parsedRequest)) {
     return {
       type: "jar",
       provided,
@@ -584,17 +603,17 @@ function parseOpenid4vpAuthorizationRequestPayload(options) {
 // src/authorization-request/resolve-authorization-request.ts
 var import_oauth219 = require("@openid4vc/oauth2");
-var import_utils13 = require("@openid4vc/utils");
-var import_zod15 = __toESM(require("zod"));
+var import_utils14 = require("@openid4vc/utils");
+var import_zod14 = __toESM(require("zod"));
 // src/client-identifier-scheme/parse-client-identifier-scheme.ts
 var import_oauth213 = require("@openid4vc/oauth2");
+var import_utils10 = require("@openid4vc/utils");
 // src/version.ts
 var import_oauth212 = require("@openid4vc/oauth2");
 function parseAuthorizationRequestVersion(request) {
   const requirements = [];
-  const vp_formats = request.client_metadata?.vp_formats;
   if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
     requirements.push(["<", 23]);
     requirements.push([">=", 21]);
@@ -655,70 +674,56 @@ function parseAuthorizationRequestVersion(request) {
 // src/client-identifier-scheme/parse-client-identifier-scheme.ts
 function getClientId(options) {
-  if (isOpenid4vpAuthorizationRequestDcApi(options.request)) {
+  const version = parseAuthorizationRequestVersion(options.authorizationRequestPayload);
+  if (version < 22) {
+    return getLegacyClientId(options);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
     if (!options.origin) {
       throw new import_oauth213.Oauth2ServerErrorResponseError({
         error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
         error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
       });
     }
-    if (!options.jar || !options.request.client_id) return `web-origin:${options.origin}`;
-    return options.request.client_id;
+    if (!options.jar || !options.authorizationRequestPayload.client_id) return `web-origin:${options.origin}`;
+    return options.authorizationRequestPayload.client_id;
   }
-  return options.request.client_id;
+  return options.authorizationRequestPayload.client_id;
 }
 function getLegacyClientId(options) {
-  const legacyClientIdScheme = options.request.client_id_scheme ?? "pre-registered";
-  let clientIdScheme;
-  if (legacyClientIdScheme === "entity_id") {
-    clientIdScheme = "https";
-  } else {
-    clientIdScheme = legacyClientIdScheme;
-  }
-  if (isOpenid4vpAuthorizationRequestDcApi(options.request)) {
+  const legacyClientIdScheme = options.authorizationRequestPayload.client_id_scheme ?? "pre-registered";
+  const clientIdScheme = legacyClientIdScheme === "entity_id" ? "https" : legacyClientIdScheme;
+  if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
     if (!options.origin) {
       throw new import_oauth213.Oauth2ServerErrorResponseError({
         error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
         error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
       });
     }
-    if (!options.jar || !options.request.client_id) return `web-origin:${options.origin}`;
-    return `${clientIdScheme}:${options.request.client_id}`;
+    if (!options.jar || !options.authorizationRequestPayload.client_id) return `web-origin:${options.origin}`;
+    return `${clientIdScheme}:${options.authorizationRequestPayload.client_id}`;
   }
   if (clientIdScheme === "https" || clientIdScheme === "did") {
-    return options.request.client_id;
+    return options.authorizationRequestPayload.client_id;
   }
   if (clientIdScheme === "pre-registered") {
-    return options.request.client_id;
+    return options.authorizationRequestPayload.client_id;
   }
-  return `${clientIdScheme}:${options.request.client_id}`;
+  return `${clientIdScheme}:${options.authorizationRequestPayload.client_id}`;
 }
 function parseClientIdentifier(options, parserConfig) {
-  const { request, jar } = options;
-  const version = parseAuthorizationRequestVersion(request);
-  if (version < 22) {
-    const legacyClientIdScheme = request.client_id_scheme ?? "pre-registered";
-    let clientIdSchem;
-    if (legacyClientIdScheme) {
-      if (legacyClientIdScheme === "entity_id") {
-        clientIdSchem = "https";
-      } else {
-        clientIdSchem = legacyClientIdScheme;
-      }
-    }
-  }
-  const isDcApiRequest = isOpenid4vpAuthorizationRequestDcApi(request);
-  const clientId = version < 22 ? getLegacyClientId(options) : getClientId(options);
+  const { authorizationRequestPayload, jar } = options;
   const parserConfigWithDefaults = {
     supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdScheme.options)
   };
+  const clientId = getClientId(options);
   const colonIndex = clientId.indexOf(":");
   if (colonIndex === -1) {
     return {
       scheme: "pre-registered",
       identifier: clientId,
       originalValue: clientId,
-      clientMetadata: request.client_metadata
+      clientMetadata: authorizationRequestPayload.client_metadata
     };
   }
   const schemePart = clientId.substring(0, colonIndex);
@@ -731,12 +736,6 @@ function parseClientIdentifier(options, parserConfig) {
   }
   const scheme = schemePart;
   if (scheme === "https") {
-    if (isDcApiRequest) {
-      throw new import_oauth213.Oauth2ServerErrorResponseError({
-        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
-        error_description: `The client identifier scheme 'https' is not supported when using the dc_api response mode.`
-      });
-    }
     if (!clientId.startsWith("https://") && !((0, import_oauth213.getGlobalConfig)().allowInsecureUrls && clientId.startsWith("http://"))) {
       throw new import_oauth213.Oauth2ServerErrorResponseError({
         error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
@@ -747,7 +746,7 @@ function parseClientIdentifier(options, parserConfig) {
       scheme,
       identifier: clientId,
       originalValue: clientId,
-      trustChain: request.trust_chain
+      trustChain: authorizationRequestPayload.trust_chain
     };
   }
   if (scheme === "redirect_uri") {
@@ -757,7 +756,7 @@ function parseClientIdentifier(options, parserConfig) {
         error_description: 'Using client identifier scheme "redirect_uri" the request MUST NOT be signed.'
       });
     }
-    if (isOpenid4vpAuthorizationRequestDcApi(request)) {
+    if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
       throw new import_oauth213.Oauth2ServerErrorResponseError({
         error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
         error_description: `The client identifier scheme 'redirect_uri' is not supported when using the dc_api response mode.`
@@ -767,7 +766,7 @@ function parseClientIdentifier(options, parserConfig) {
       scheme,
       identifier: identifierPart,
       originalValue: clientId,
-      redirectUri: request.redirect_uri ?? request.response_uri
+      redirectUri: authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri
     };
   }
   if (scheme === "did") {
@@ -833,9 +832,9 @@ function parseClientIdentifier(options, parserConfig) {
           error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(", ")}] must match the client identifier '${identifierPart}'. `
         });
       }
-      if (!isOpenid4vpAuthorizationRequestDcApi(request)) {
-        const uri = request.redirect_uri ?? request.response_uri;
-        if (!uri || getDomainFromUrl(uri) !== identifierPart) {
+      if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
+        const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri;
+        if (!uri || new import_utils10.URL(uri).hostname !== identifierPart) {
           throw new import_oauth213.Oauth2ServerErrorResponseError({
             error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
             error_description: "Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns."
@@ -860,8 +859,8 @@ function parseClientIdentifier(options, parserConfig) {
           error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(", ")}] must match the client identifier '${identifierPart}'.`
         });
       }
-      if (!isOpenid4vpAuthorizationRequestDcApi(request)) {
-        const uri = request.redirect_uri || request.response_uri;
+      if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
+        const uri = authorizationRequestPayload.redirect_uri || authorizationRequestPayload.response_uri;
         if (!uri || uri !== identifierPart) {
           throw new import_oauth213.Oauth2ServerErrorResponseError({
             error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
@@ -882,7 +881,7 @@ function parseClientIdentifier(options, parserConfig) {
       scheme,
       identifier: identifierPart,
       originalValue: clientId,
-      clientMetadata: request.client_metadata
+      clientMetadata: authorizationRequestPayload.client_metadata
     };
   }
   if (scheme === "verifier_attestation") {
@@ -899,42 +898,17 @@ function parseClientIdentifier(options, parserConfig) {
     originalValue: clientId
   };
 }
-function getDomainFromUrl(url) {
-  try {
-    const regex = /[#/?]/;
-    const domain = url.split("://")[1].split(regex)[0];
-    return domain;
-  } catch (error) {
-    throw new import_oauth213.Oauth2ServerErrorResponseError({
-      error: import_oauth213.Oauth2ErrorCodes.ServerError,
-      error_description: `Url '${url}' is not a valid URL`
-    });
-  }
-}
 // src/fetch-client-metadata.ts
 var import_oauth214 = require("@openid4vc/oauth2");
-var import_utils10 = require("@openid4vc/utils");
-// src/models/z-wallet-metadata.ts
-var import_zod11 = require("zod");
-var zWalletMetadata = import_zod11.z.object({
-  presentation_definition_uri_supported: import_zod11.z.optional(import_zod11.z.boolean()),
-  vp_formats_supported: zVpFormatsSupported,
-  client_id_schemes_supported: import_zod11.z.optional(import_zod11.z.array(zClientIdScheme)),
-  request_object_signing_alg_values_supported: import_zod11.z.optional(import_zod11.z.array(import_zod11.z.string())),
-  authorization_encryption_alg_values_supported: import_zod11.z.optional(import_zod11.z.array(import_zod11.z.string())),
-  authorization_encryption_enc_values_supported: import_zod11.z.optional(import_zod11.z.array(import_zod11.z.string()))
-});
-// src/fetch-client-metadata.ts
+var import_utils11 = require("@openid4vc/utils");
 async function fetchClientMetadata(options) {
   const { fetch, clientMetadataUri } = options;
-  const fetcher = (0, import_utils10.createZodFetcher)(fetch);
-  const { result, response } = await fetcher(zWalletMetadata, import_utils10.ContentType.Json, clientMetadataUri, {
+  const fetcher = (0, import_utils11.createZodFetcher)(fetch);
+  const { result, response } = await fetcher(zClientMetadata, import_utils11.ContentType.Json, clientMetadataUri, {
     method: "GET",
     headers: {
-      Accept: import_utils10.ContentType.Json
+      Accept: import_utils11.ContentType.Json
     }
   });
   if (!response.ok) {
@@ -957,23 +931,23 @@ var import_oauth217 = require("@openid4vc/oauth2");
 // src/jar/jar-request-object/fetch-jar-request-object.ts
 var import_oauth215 = require("@openid4vc/oauth2");
-var import_utils11 = require("@openid4vc/utils");
-var import_zod12 = require("zod");
+var import_utils12 = require("@openid4vc/utils");
+var import_zod11 = require("zod");
 async function fetchJarRequestObject(options) {
   const { requestUri, clientIdentifierScheme, method, wallet, fetch } = options;
-  const fetcher = (0, import_utils11.createZodFetcher)(fetch);
+  const fetcher = (0, import_utils12.createZodFetcher)(fetch);
   let requestBody = wallet.metadata ? { wallet_metadata: wallet.metadata, wallet_nonce: wallet.nonce } : void 0;
   if (requestBody?.wallet_metadata?.request_object_signing_alg_values_supported && clientIdentifierScheme === "redirect_uri") {
     const { request_object_signing_alg_values_supported, ...rest } = requestBody.wallet_metadata;
     requestBody = { ...requestBody, wallet_metadata: { ...rest } };
   }
-  const { result, response } = await fetcher(import_zod12.z.string(), import_utils11.ContentType.OAuthRequestObjectJwt, requestUri, {
+  const { result, response } = await fetcher(import_zod11.z.string(), import_utils12.ContentType.OAuthAuthorizationRequestJwt, requestUri, {
     method,
     headers: {
-      Accept: `${import_utils11.ContentType.OAuthRequestObjectJwt}, ${import_utils11.ContentType.Jwt};q=0.9`,
-      "Content-Type": import_utils11.ContentType.XWwwFormUrlencoded
+      Accept: `${import_utils12.ContentType.OAuthAuthorizationRequestJwt}, ${import_utils12.ContentType.Jwt};q=0.9`,
+      "Content-Type": import_utils12.ContentType.XWwwFormUrlencoded
     },
-    body: method === "POST" ? (0, import_utils11.objectToQueryParams)(wallet.metadata ?? {}) : void 0
+    body: method === "POST" ? (0, import_utils12.objectToQueryParams)(wallet.metadata ?? {}) : void 0
   });
   if (!response.ok) {
     throw new import_oauth215.Oauth2ServerErrorResponseError({
@@ -992,10 +966,10 @@ async function fetchJarRequestObject(options) {
 // src/jar/jar-request-object/z-jar-request-object.ts
 var import_oauth216 = require("@openid4vc/oauth2");
-var import_zod13 = require("zod");
-var zJarRequestObjectPayload = import_zod13.z.object({
+var import_zod12 = require("zod");
+var zJarRequestObjectPayload = import_zod12.z.object({
   ...import_oauth216.zJwtPayload.shape,
-  client_id: import_zod13.z.string()
+  client_id: import_zod12.z.string()
 }).passthrough();
 // src/jar/handle-jar-request/verify-jar-request.ts
@@ -1026,17 +1000,17 @@ async function verifyJarRequest(options) {
       error_description: "Jar Request Object is not a valid JWS."
     });
   }
-  const { authRequestParams, signer } = await verifyJarRequestObject({
+  const { authorizationRequestParams, signer } = await verifyJarRequestObject({
     decryptedRequestObject,
     callbacks
   });
-  if (!authRequestParams.client_id) {
+  if (!authorizationRequestParams.client_id) {
     throw new import_oauth217.Oauth2ServerErrorResponseError({
       error: import_oauth217.Oauth2ErrorCodes.InvalidRequestObject,
       error_description: 'Jar Request Object is missing the required "client_id" field.'
     });
   }
-  if (jarRequestParams.client_id !== authRequestParams.client_id) {
+  if (jarRequestParams.client_id !== authorizationRequestParams.client_id) {
     throw new import_oauth217.Oauth2ServerErrorResponseError({
       error: import_oauth217.Oauth2ErrorCodes.InvalidRequest,
       error_description: "client_id does not match the request object client_id."
@@ -1044,7 +1018,7 @@ async function verifyJarRequest(options) {
   }
   return {
     sendBy,
-    authRequestParams,
+    authorizationRequestParams,
     signer,
     decryptionJwk
   };
@@ -1085,26 +1059,26 @@ async function verifyJarRequestObject(options) {
       error_description: `Invalid Jar Request Object typ header. Expected "oauth-authz-req+jwt", received "${jwt.header.typ}".`
     });
   }
-  return { authRequestParams: jwt.payload, signer };
+  return { authorizationRequestParams: jwt.payload, signer };
 }
 // src/transaction-data/parse-transaction-data.ts
 var import_oauth218 = require("@openid4vc/oauth2");
-var import_utils12 = require("@openid4vc/utils");
+var import_utils13 = require("@openid4vc/utils");
 // src/transaction-data/z-transaction-data.ts
-var import_zod14 = require("zod");
-var zTransactionEntry = import_zod14.z.object({
-  type: import_zod14.z.string(),
-  credential_ids: import_zod14.z.array(import_zod14.z.string()).nonempty(),
-  transaction_data_hashes_alg: import_zod14.z.array(import_zod14.z.string()).optional()
+var import_zod13 = require("zod");
+var zTransactionEntry = import_zod13.z.object({
+  type: import_zod13.z.string(),
+  credential_ids: import_zod13.z.array(import_zod13.z.string()).nonempty(),
+  transaction_data_hashes_alg: import_zod13.z.array(import_zod13.z.string()).optional()
 });
-var zTransactionData = import_zod14.z.array(zTransactionEntry);
+var zTransactionData = import_zod13.z.array(zTransactionEntry);
 // src/transaction-data/parse-transaction-data.ts
 function parseTransactionData(options) {
   const { transactionData } = options;
-  const decoded = transactionData.map((tdEntry) => (0, import_utils12.parseIfJson)((0, import_utils12.encodeToUtf8String)((0, import_utils12.decodeBase64)(tdEntry))));
+  const decoded = transactionData.map((tdEntry) => (0, import_utils13.parseIfJson)((0, import_utils13.encodeToUtf8String)((0, import_utils13.decodeBase64)(tdEntry))));
   const parsedResult = zTransactionData.safeParse(decoded);
   if (!parsedResult.success) {
     throw new import_oauth218.Oauth2ServerErrorResponseError({
@@ -1121,138 +1095,132 @@ function parseTransactionData(options) {
 // src/authorization-request/resolve-authorization-request.ts
 async function resolveOpenid4vpAuthorizationRequest(options) {
-  const { requestPayload, wallet, callbacks, origin, omitOriginValidation } = options;
-  let authRequestPayload;
-  const parsed = (0, import_utils13.parseWithErrorHandling)(
-    import_zod15.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthRequest]),
-    requestPayload,
+  const { wallet, callbacks, origin, disableOriginValidation } = options;
+  let authorizationRequestPayload;
+  const parsed = (0, import_utils14.parseWithErrorHandling)(
+    import_zod14.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest]),
+    options.authorizationRequestPayload,
     "Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request."
   );
   let jar;
-  if (isJarAuthRequest(parsed)) {
+  if (isJarAuthorizationRequest(parsed)) {
     jar = await verifyJarRequest({ jarRequestParams: parsed, callbacks, wallet });
-    const parsedJarAuthRequestPayload = (0, import_utils13.parseWithErrorHandling)(
-      import_zod15.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),
-      jar.authRequestParams,
+    const parsedJarAuthorizationRequestPayload = (0, import_utils14.parseWithErrorHandling)(
+      import_zod14.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),
+      jar.authorizationRequestParams,
       "Invalid authorization request. Could not parse jar request payload as openid4vp auth request."
     );
-    authRequestPayload = validateOpenId4vpPayload({
-      requestPayload: parsedJarAuthRequestPayload,
+    authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({
+      authorizationRequestPayload: parsedJarAuthorizationRequestPayload,
       wallet,
       jar: true,
       origin,
-      omitOriginValidation
+      disableOriginValidation
     });
   } else {
-    authRequestPayload = validateOpenId4vpPayload({
-      requestPayload: parsed,
+    authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({
+      authorizationRequestPayload: parsed,
       wallet,
       jar: false,
       origin,
-      omitOriginValidation
+      disableOriginValidation
     });
   }
-  let clientMetadata;
-  if (!isOpenid4vpAuthorizationRequestDcApi(authRequestPayload) && authRequestPayload.client_metadata_uri) {
-    clientMetadata = await fetchClientMetadata({ clientMetadataUri: authRequestPayload.client_metadata_uri });
+  let clientMetadata = authorizationRequestPayload.client_metadata;
+  if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) && !clientMetadata && authorizationRequestPayload.client_metadata_uri) {
+    clientMetadata = await fetchClientMetadata({ clientMetadataUri: authorizationRequestPayload.client_metadata_uri });
   }
   const clientMeta = parseClientIdentifier({
-    request: { ...authRequestPayload, client_metadata: clientMetadata ?? authRequestPayload.client_metadata },
+    authorizationRequestPayload: {
+      ...authorizationRequestPayload,
+      client_metadata: clientMetadata
+    },
     jar,
     callbacks,
     origin
   });
   let pex;
   let dcql;
-  if (authRequestPayload.presentation_definition || authRequestPayload.presentation_definition_uri) {
-    if (authRequestPayload.presentation_definition_uri) {
+  if (authorizationRequestPayload.presentation_definition || authorizationRequestPayload.presentation_definition_uri) {
+    if (authorizationRequestPayload.presentation_definition_uri) {
       throw new import_oauth219.Oauth2ServerErrorResponseError({
         error: import_oauth219.Oauth2ErrorCodes.InvalidRequest,
         error_description: "Cannot fetch presentation definition from URI. Not supported."
       });
     }
     pex = {
-      presentation_definition: authRequestPayload.presentation_definition,
-      presentation_definition_uri: authRequestPayload.presentation_definition_uri
+      presentation_definition: authorizationRequestPayload.presentation_definition,
+      presentation_definition_uri: authorizationRequestPayload.presentation_definition_uri
     };
   }
-  if (authRequestPayload.dcql_query) {
-    dcql = { query: authRequestPayload.dcql_query };
+  if (authorizationRequestPayload.dcql_query) {
+    dcql = { query: authorizationRequestPayload.dcql_query };
   }
-  const transactionData = authRequestPayload.transaction_data ? parseTransactionData({ transactionData: authRequestPayload.transaction_data }) : void 0;
+  const transactionData = authorizationRequestPayload.transaction_data ? parseTransactionData({ transactionData: authorizationRequestPayload.transaction_data }) : void 0;
   return {
     transactionData,
-    requestPayload: authRequestPayload,
+    authorizationRequestPayload,
     jar,
-    client: { ...clientMeta },
+    client: clientMeta,
     pex,
     dcql
   };
 }
-function validateOpenId4vpPayload(options) {
-  const { requestPayload, wallet, jar, origin, omitOriginValidation } = options;
-  if (isOpenid4vpAuthorizationRequestDcApi(requestPayload)) {
+function validateOpenId4vpAuthorizationRequestPayload(options) {
+  const { authorizationRequestPayload, wallet, jar, origin, disableOriginValidation } = options;
+  if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
     validateOpenid4vpAuthorizationRequestDcApiPayload({
-      params: requestPayload,
+      params: authorizationRequestPayload,
       isJarRequest: jar,
-      omitOriginValidation,
+      disableOriginValidation,
       origin
     });
-    return requestPayload;
+    return authorizationRequestPayload;
   }
-  validateOpenid4vpAuthorizationRequestPayload({ params: requestPayload, walletVerificationOptions: wallet });
-  return requestPayload;
+  validateOpenid4vpAuthorizationRequestPayload({
+    params: authorizationRequestPayload,
+    walletVerificationOptions: wallet
+  });
+  return authorizationRequestPayload;
 }
 // src/authorization-response/create-authorization-response.ts
 var import_oauth222 = require("@openid4vc/oauth2");
-var import_utils14 = require("@openid4vc/utils");
+var import_utils15 = require("@openid4vc/utils");
 // ../utils/src/date.ts
 function addSecondsToDate(date, seconds) {
   return new Date(date.getTime() + seconds * 1e3);
 }
-// src/jarm/jarm-auth-response-create.ts
+// src/jarm/jarm-authorization-response-create.ts
 var import_oauth220 = require("@openid4vc/oauth2");
-async function createJarmAuthResponse(options) {
-  const { jarmAuthResponse, jweEncryptor, jwtSigner, callbacks } = options;
+async function createJarmAuthorizationResponse(options) {
+  const { jarmAuthorizationResponse, jweEncryptor, jwtSigner, callbacks } = options;
   if (!jwtSigner && jweEncryptor) {
-    const { jwe } = await callbacks.encryptJwe(jweEncryptor, JSON.stringify(jarmAuthResponse));
-    return { jarmAuthResponseJwt: jwe };
+    const { jwe } = await callbacks.encryptJwe(jweEncryptor, JSON.stringify(jarmAuthorizationResponse));
+    return { jarmAuthorizationResponseJwt: jwe };
   }
   if (jwtSigner && !jweEncryptor) {
     const signed2 = await callbacks.signJwt(jwtSigner, {
       header: (0, import_oauth220.jwtHeaderFromJwtSigner)(jwtSigner),
-      payload: jarmAuthResponse
+      payload: jarmAuthorizationResponse
     });
-    return { jarmAuthResponseJwt: signed2.jwt };
+    return { jarmAuthorizationResponseJwt: signed2.jwt };
   }
   if (!jwtSigner || !jweEncryptor) {
     throw new import_oauth220.Oauth2Error("JWT signer and/or encryptor are required to create a JARM auth response.");
   }
   const signed = await callbacks.signJwt(jwtSigner, {
     header: (0, import_oauth220.jwtHeaderFromJwtSigner)(jwtSigner),
-    payload: jarmAuthResponse
+    payload: jarmAuthorizationResponse
   });
   const encrypted = await callbacks.encryptJwe(jweEncryptor, signed.jwt);
-  return { jarmAuthResponseJwt: encrypted.jwe };
-}
-// src/jarm/jarm-extract-jwks.ts
-function extractJwksFromClientMetadata(clientMetadata) {
-  const parsed = zJarmClientMetadataParsed.parse(clientMetadata);
-  const encryptionAlg = parsed.client_metadata.authorization_encrypted_response_enc;
-  const signingAlg = parsed.client_metadata.authorization_signed_response_alg;
-  const encJwk = clientMetadata.jwks.keys.find((key) => key.use === "enc" && key.alg === encryptionAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "enc") ?? // fallback, take first key. HAIP does not specify requirement on enc
-  clientMetadata.jwks.keys?.[0];
-  const sigJwk = clientMetadata.jwks.keys.find((key) => key.use === "sig" && key.alg === signingAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "sig") ?? // falback, take first key
-  clientMetadata.jwks.keys?.[0];
-  return { encJwk, sigJwk };
+  return { jarmAuthorizationResponseJwt: encrypted.jwe };
 }
 // src/jarm/jarm-response-mode.ts
-var import_zod16 = require("zod");
+var import_zod15 = require("zod");
 var jarmResponseMode = [
   "jwt",
   "query.jwt",
@@ -1261,7 +1229,7 @@ var jarmResponseMode = [
   "direct_post.jwt",
   "dc_api.jwt"
 ];
-var zJarmResponseMode = import_zod16.z.enum(jarmResponseMode);
+var zJarmResponseMode = import_zod15.z.enum(jarmResponseMode);
 var isJarmResponseMode = (responseMode) => {
   return jarmResponseMode.includes(responseMode);
 };
@@ -1307,37 +1275,37 @@ function jarmAssertMetadataSupported(options) {
 // src/authorization-response/create-authorization-response.ts
 async function createOpenid4vpAuthorizationResponse(options) {
-  const { requestPayload, jarm, callbacks } = options;
-  const responsePayload = {
-    ...options.responsePayload,
-    ..."state" in requestPayload && { state: requestPayload.state }
+  const { authorizationRequestPayload, jarm, callbacks } = options;
+  const authorizationResponsePayload = {
+    ...options.authorizationResponsePayload,
+    ..."state" in authorizationRequestPayload && { state: authorizationRequestPayload.state }
   };
-  if (requestPayload.response_mode && isJarmResponseMode(requestPayload.response_mode) && !jarm) {
+  if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode) && !jarm) {
     throw new import_oauth222.Oauth2Error(
-      `Missing jarm options for creating Jarm response with response mode '${requestPayload.response_mode}'`
+      `Missing jarm options for creating Jarm response with response mode '${authorizationRequestPayload.response_mode}'`
     );
   }
   if (!jarm) {
     return {
-      responsePayload
+      authorizationResponsePayload
     };
   }
-  if (!requestPayload.client_metadata) {
+  if (!authorizationRequestPayload.client_metadata) {
     throw new import_oauth222.Oauth2Error("Missing client metadata in the request params to assert Jarm metadata support.");
   }
-  if (!requestPayload.client_metadata.jwks) {
+  if (!authorizationRequestPayload.client_metadata.jwks) {
     throw new import_oauth222.Oauth2ServerErrorResponseError({
       error: import_oauth222.Oauth2ErrorCodes.InvalidRequest,
       error_description: "Missing JWKS in client metadata. Cannot extract encryption JWK."
     });
   }
   const supportedJarmMetadata = jarmAssertMetadataSupported({
-    clientMetadata: requestPayload.client_metadata,
+    clientMetadata: authorizationRequestPayload.client_metadata,
     serverMetadata: jarm.serverMetadata
   });
   const clientMetaJwks = extractJwksFromClientMetadata({
-    ...requestPayload.client_metadata,
-    jwks: requestPayload.client_metadata.jwks
+    ...authorizationRequestPayload.client_metadata,
+    jwks: authorizationRequestPayload.client_metadata.jwks
   });
   if (!clientMetaJwks?.encJwk) {
     throw new import_oauth222.Oauth2ServerErrorResponseError({
@@ -1362,22 +1330,22 @@ async function createOpenid4vpAuthorizationResponse(options) {
     additionalJwtPayload = {
       iss: jarm.authorizationServer,
       aud: jarm.audience,
-      exp: jarm.expiresInSeconds ?? (0, import_utils14.dateToSeconds)(addSecondsToDate(/* @__PURE__ */ new Date(), 60 * 10))
+      exp: jarm.expiresInSeconds ?? (0, import_utils15.dateToSeconds)(addSecondsToDate(/* @__PURE__ */ new Date(), 60 * 10))
       // default: 10 minutes
     };
   }
   const jarmResponsePayload = {
-    ...responsePayload,
+    ...authorizationResponsePayload,
     ...additionalJwtPayload
   };
-  const result = await createJarmAuthResponse({
-    jarmAuthResponse: jarmResponsePayload,
+  const result = await createJarmAuthorizationResponse({
+    jarmAuthorizationResponse: jarmResponsePayload,
     jwtSigner: jarm?.jwtSigner,
     jweEncryptor: jarm?.encryption && (supportedJarmMetadata.type === "encrypt" || supportedJarmMetadata.type === "sign_encrypt") ? {
       method: "jwk",
       publicJwk: clientMetaJwks.encJwk,
       apu: jarm.encryption?.nonce,
-      apv: requestPayload.nonce,
+      apv: authorizationRequestPayload.nonce,
       alg: supportedJarmMetadata.client_metadata.authorization_encrypted_response_alg,
       enc: supportedJarmMetadata.client_metadata.authorization_encrypted_response_enc
     } : void 0,
@@ -1387,32 +1355,32 @@ async function createOpenid4vpAuthorizationResponse(options) {
     }
   });
   return {
-    responsePayload: jarmResponsePayload,
-    jarm: { responseJwt: result.jarmAuthResponseJwt }
+    authorizationResponsePayload: jarmResponsePayload,
+    jarm: { responseJwt: result.jarmAuthorizationResponseJwt }
   };
 }
 // src/authorization-response/submit-authorization-response.ts
 var import_oauth224 = require("@openid4vc/oauth2");
-var import_utils16 = require("@openid4vc/utils");
 var import_utils17 = require("@openid4vc/utils");
+var import_utils18 = require("@openid4vc/utils");
-// src/jarm/jarm-auth-response-send.ts
+// src/jarm/jarm-authorizatino-response-send.ts
 var import_oauth223 = require("@openid4vc/oauth2");
-var import_utils15 = require("@openid4vc/utils");
-var jarmAuthResponseSend = (options) => {
-  const { authRequest, jarmAuthResponseJwt, callbacks } = options;
-  const responseEndpoint = authRequest.response_uri ?? authRequest.redirect_uri;
+var import_utils16 = require("@openid4vc/utils");
+var jarmAuthorizationResponseSend = (options) => {
+  const { authorizationRequestPayload, jarmAuthorizationResponseJwt, callbacks } = options;
+  const responseEndpoint = authorizationRequestPayload.response_uri ?? authorizationRequestPayload.redirect_uri;
   if (!responseEndpoint) {
     throw new import_oauth223.Oauth2Error(`Either 'response_uri' or 'redirect_uri' MUST  be present in the authorization request`);
   }
-  const responseEndpointUrl = new import_utils15.URL(responseEndpoint);
-  return handleDirectPostJwt(responseEndpointUrl, jarmAuthResponseJwt, callbacks);
+  const responseEndpointUrl = new import_utils16.URL(responseEndpoint);
+  return handleDirectPostJwt(responseEndpointUrl, jarmAuthorizationResponseJwt, callbacks);
 };
 async function handleDirectPostJwt(responseEndpoint, responseJwt, callbacks) {
-  const response = await (callbacks.fetch ?? import_utils15.defaultFetcher)(responseEndpoint, {
+  const response = await (callbacks.fetch ?? import_utils16.defaultFetcher)(responseEndpoint, {
     method: "POST",
-    headers: { "Content-Type": import_utils15.ContentType.XWwwFormUrlencoded },
+    headers: { "Content-Type": import_utils16.ContentType.XWwwFormUrlencoded },
     body: `response=${responseJwt}`
   });
   return {
@@ -1423,12 +1391,12 @@ async function handleDirectPostJwt(responseEndpoint, responseJwt, callbacks) {
 // src/authorization-response/submit-authorization-response.ts
 async function submitOpenid4vpAuthorizationResponse(options) {
-  const { requestPayload, responsePayload, jarm, callbacks } = options;
-  const url = requestPayload.response_uri;
+  const { authorizationRequestPayload, authorizationResponsePayload, jarm, callbacks } = options;
+  const url = authorizationRequestPayload.response_uri;
   if (jarm) {
-    return jarmAuthResponseSend({
-      authRequest: requestPayload,
-      jarmAuthResponseJwt: jarm.responseJwt,
+    return jarmAuthorizationResponseSend({
+      authorizationRequestPayload,
+      jarmAuthorizationResponseJwt: jarm.responseJwt,
       callbacks
     });
   }
@@ -1437,13 +1405,13 @@ async function submitOpenid4vpAuthorizationResponse(options) {
       "Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided."
     );
   }
-  const fetch = callbacks.fetch ?? import_utils16.defaultFetcher;
-  const encodedResponse = (0, import_utils17.objectToQueryParams)(responsePayload);
+  const fetch = callbacks.fetch ?? import_utils17.defaultFetcher;
+  const encodedResponse = (0, import_utils18.objectToQueryParams)(authorizationResponsePayload);
   const submissionResponse = await fetch(url, {
     method: "POST",
     body: encodedResponse,
     headers: {
-      "Content-Type": import_utils16.ContentType.XWwwFormUrlencoded
+      "Content-Type": import_utils17.ContentType.XWwwFormUrlencoded
     }
   });
   return {
@@ -1456,76 +1424,76 @@ async function submitOpenid4vpAuthorizationResponse(options) {
 var import_oauth225 = require("@openid4vc/oauth2");
 // src/vp-token/parse-vp-token.ts
-var import_utils18 = require("@openid4vc/utils");
+var import_utils19 = require("@openid4vc/utils");
 // src/vp-token/z-vp-token.ts
-var import_zod17 = require("zod");
-var zVpTokenPexEntry = import_zod17.z.union([import_zod17.z.string(), import_zod17.z.record(import_zod17.z.any())], {
+var import_zod16 = require("zod");
+var zVpTokenPexEntry = import_zod16.z.union([import_zod16.z.string(), import_zod16.z.record(import_zod16.z.any())], {
   message: "pex vp_token entry must be a string or object"
 });
-var zVpTokenPex = import_zod17.z.union(
-  [zVpTokenPexEntry, import_zod17.z.array(zVpTokenPexEntry).nonempty("Must have at least entry in vp_token array")],
+var zVpTokenPex = import_zod16.z.union(
+  [zVpTokenPexEntry, import_zod16.z.array(zVpTokenPexEntry).nonempty("Must have at least entry in vp_token array")],
   {
     message: "pex vp_token must be a string, object or array of strings and objects"
   }
 );
-var zVpTokenDcql = import_zod17.z.record(import_zod17.z.union([import_zod17.z.string(), import_zod17.z.record(import_zod17.z.any())]), {
+var zVpTokenDcql = import_zod16.z.record(import_zod16.z.union([import_zod16.z.string(), import_zod16.z.record(import_zod16.z.any())]), {
   message: "dcql vp_token must be an object with keys referencing the dcql credential query id, and values the encoded (string or object) presentation"
 });
 var zVpToken = zVpTokenDcql.or(zVpTokenPex);
 // src/vp-token/parse-vp-token.ts
 function parsePexVpToken(vpToken) {
-  const parsedVpToken = (0, import_utils18.parseWithErrorHandling)(
+  const parsedVpToken = (0, import_utils19.parseWithErrorHandling)(
     zVpTokenPex,
-    (0, import_utils18.parseIfJson)(vpToken),
+    (0, import_utils19.parseIfJson)(vpToken),
     "Could not parse presentation exchange vp_token. Expected a string or an array of strings"
   );
   return Array.isArray(parsedVpToken) ? parsedVpToken : [parsedVpToken];
 }
 function parseDcqlVpToken(vpToken) {
-  return (0, import_utils18.parseWithErrorHandling)(
+  return (0, import_utils19.parseWithErrorHandling)(
     zVpTokenDcql,
-    (0, import_utils18.parseIfJson)(vpToken),
+    (0, import_utils19.parseIfJson)(vpToken),
     "Could not parse dcql vp_token. Expected an object where the values are encoded presentations"
   );
 }
 // src/authorization-response/validate-authorization-response.ts
 function validateOpenid4vpAuthorizationResponsePayload(options) {
-  const { requestPayload, responsePayload } = options;
-  if ("state" in requestPayload && requestPayload.state !== responsePayload.state) {
+  const { authorizationRequestPayload, authorizationResponsePayload } = options;
+  if ("state" in authorizationRequestPayload && authorizationRequestPayload.state !== authorizationResponsePayload.state) {
     throw new import_oauth225.Oauth2Error("OpenId4Vp Authorization Response state mismatch.");
   }
-  if (responsePayload.id_token) {
+  if (authorizationResponsePayload.id_token) {
     throw new import_oauth225.Oauth2Error("OpenId4Vp Authorization Response id_token is not supported.");
   }
-  if (responsePayload.presentation_submission) {
-    if (!requestPayload.presentation_definition) {
+  if (authorizationResponsePayload.presentation_submission) {
+    if (!authorizationRequestPayload.presentation_definition) {
       throw new import_oauth225.Oauth2Error("OpenId4Vp Authorization Request is missing the required presentation_definition.");
     }
     return {
       type: "pex",
-      pex: "scope" in requestPayload && requestPayload.scope ? {
-        scope: requestPayload.scope,
-        presentationSubmission: responsePayload.presentation_submission,
-        presentations: parsePexVpToken(responsePayload.vp_token)
+      pex: "scope" in authorizationRequestPayload && authorizationRequestPayload.scope ? {
+        scope: authorizationRequestPayload.scope,
+        presentationSubmission: authorizationResponsePayload.presentation_submission,
+        presentations: parsePexVpToken(authorizationResponsePayload.vp_token)
       } : {
-        presentationDefinition: requestPayload.presentation_definition,
-        presentationSubmission: responsePayload.presentation_submission,
-        presentations: parsePexVpToken(responsePayload.vp_token)
+        presentationDefinition: authorizationRequestPayload.presentation_definition,
+        presentationSubmission: authorizationResponsePayload.presentation_submission,
+        presentations: parsePexVpToken(authorizationResponsePayload.vp_token)
       }
     };
   }
-  if (requestPayload.dcql_query) {
-    const presentations = parseDcqlVpToken(responsePayload.vp_token);
+  if (authorizationRequestPayload.dcql_query) {
+    const presentations = parseDcqlVpToken(authorizationResponsePayload.vp_token);
     return {
       type: "dcql",
-      dcql: "scope" in requestPayload && requestPayload.scope ? {
-        scope: requestPayload.scope,
+      dcql: "scope" in authorizationRequestPayload && authorizationRequestPayload.scope ? {
+        scope: authorizationRequestPayload.scope,
         presentations
       } : {
-        query: requestPayload.dcql_query,
+        query: authorizationRequestPayload.dcql_query,
         presentations
       }
     };
@@ -1539,31 +1507,31 @@ function validateOpenid4vpAuthorizationResponsePayload(options) {
 var import_oauth227 = require("@openid4vc/oauth2");
 // src/authorization-response/parse-authorization-response-payload.ts
-var import_utils19 = require("@openid4vc/utils");
+var import_utils20 = require("@openid4vc/utils");
 // src/authorization-response/z-authorization-response.ts
-var import_zod19 = require("zod");
+var import_zod18 = require("zod");
 // src/models/z-pex.ts
-var import_zod18 = require("zod");
-var zPexPresentationDefinition = import_zod18.z.record(import_zod18.z.any());
-var zPexPresentationSubmission = import_zod18.z.record(import_zod18.z.any());
+var import_zod17 = require("zod");
+var zPexPresentationDefinition = import_zod17.z.record(import_zod17.z.any());
+var zPexPresentationSubmission = import_zod17.z.record(import_zod17.z.any());
 // src/authorization-response/z-authorization-response.ts
-var zOpenid4vpAuthorizationResponse = import_zod19.z.object({
-  state: import_zod19.z.string().optional(),
-  id_token: import_zod19.z.string().optional(),
+var zOpenid4vpAuthorizationResponse = import_zod18.z.object({
+  state: import_zod18.z.string().optional(),
+  id_token: import_zod18.z.string().optional(),
   vp_token: zVpToken,
   presentation_submission: zPexPresentationSubmission.optional(),
-  refresh_token: import_zod19.z.string().optional(),
-  token_type: import_zod19.z.string().optional(),
-  access_token: import_zod19.z.string().optional(),
-  expires_in: import_zod19.z.number().optional()
+  refresh_token: import_zod18.z.string().optional(),
+  token_type: import_zod18.z.string().optional(),
+  access_token: import_zod18.z.string().optional(),
+  expires_in: import_zod18.z.number().optional()
 }).passthrough();
 // src/authorization-response/parse-authorization-response-payload.ts
 function parseOpenid4VpAuthorizationResponsePayload(payload) {
-  return (0, import_utils19.parseWithErrorHandling)(
+  return (0, import_utils20.parseWithErrorHandling)(
     zOpenid4vpAuthorizationResponse,
     payload,
     "Failed to parse openid4vp authorization response."
@@ -1572,72 +1540,61 @@ function parseOpenid4VpAuthorizationResponsePayload(payload) {
 // src/authorization-response/parse-jarm-authorization-response.ts
 var import_oauth226 = require("@openid4vc/oauth2");
-var import_utils20 = require("@openid4vc/utils");
-var import_zod20 = __toESM(require("zod"));
+var import_utils21 = require("@openid4vc/utils");
+var import_zod19 = __toESM(require("zod"));
 async function parseJarmAuthorizationResponse(options) {
-  const { jarmResponseJwt, callbacks } = options;
-  const jarmAuthorizationResponseJwt = (0, import_utils20.parseWithErrorHandling)(
-    import_zod20.default.union([import_oauth226.zCompactJwt, import_oauth226.zCompactJwe]),
+  const { jarmResponseJwt, callbacks, authorizationRequestPayload, expectedClientId } = options;
+  const jarmAuthorizationResponseJwt = (0, import_utils21.parseWithErrorHandling)(
+    import_zod19.default.union([import_oauth226.zCompactJwt, import_oauth226.zCompactJwe]),
     jarmResponseJwt,
     "Invalid jarm authorization response jwt."
   );
-  const verifiedJarmResponse = await verifyJarmAuthorizationResponse({ jarmAuthorizationResponseJwt, callbacks });
+  const verifiedJarmResponse = await verifyJarmAuthorizationResponse({
+    jarmAuthorizationResponseJwt,
+    callbacks,
+    expectedClientId,
+    authorizationRequestPayload
+  });
   const { header: jarmHeader } = (0, import_oauth226.decodeJwtHeader)({
     jwt: jarmAuthorizationResponseJwt,
     headerSchema: zJarmHeader
   });
-  const parsedAuthorizationRequest = parseOpenid4vpAuthorizationRequestPayload({
-    authorizationRequest: verifiedJarmResponse.authorizationRequest
-  });
-  if (parsedAuthorizationRequest.type !== "openid4vp" && parsedAuthorizationRequest.type !== "openid4vp_dc_api") {
-    throw new import_oauth226.Oauth2Error("Invalid authorization request. Could not parse openid4vp authorization request.");
-  }
-  const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(verifiedJarmResponse.jarmAuthResponse);
+  const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(
+    verifiedJarmResponse.jarmAuthorizationResponse
+  );
   const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({
-    requestPayload: parsedAuthorizationRequest.params,
-    responsePayload: authorizationResponsePayload
+    authorizationRequestPayload,
+    authorizationResponsePayload
   });
-  const authorizationRequestPayload = parsedAuthorizationRequest.params;
   if (!authorizationRequestPayload.response_mode || !isJarmResponseMode(authorizationRequestPayload.response_mode)) {
     throw new import_oauth226.Oauth2Error(
       `Invalid response mode for jarm response. Response mode: '${authorizationRequestPayload.response_mode ?? "fragment"}'`
     );
   }
-  let mdocGeneratedNonce = void 0;
-  if (jarmHeader?.apu) {
-    mdocGeneratedNonce = (0, import_utils20.encodeToUtf8String)((0, import_utils20.decodeBase64)(jarmHeader.apu));
-  }
-  if (jarmHeader?.apv) {
-    const jarmRequestNonce = (0, import_utils20.encodeToUtf8String)((0, import_utils20.decodeBase64)(jarmHeader.apv));
-    if (jarmRequestNonce !== authorizationRequestPayload.nonce) {
-      throw new import_oauth226.Oauth2Error("The nonce in the jarm header does not match the nonce in the request.");
-    }
-  }
   return {
     ...validateOpenId4vpResponse,
-    jarm: { ...verifiedJarmResponse, jarmHeader, mdocGeneratedNonce },
+    jarm: { ...verifiedJarmResponse, jarmHeader },
     expectedNonce: authorizationRequestPayload.nonce,
-    authorizationResponsePayload,
-    authorizationRequestPayload
+    authorizationResponsePayload
   };
 }
 // src/authorization-response/parse-authorization-response.ts
 async function parseOpenid4vpAuthorizationResponse(options) {
-  const { responsePayload, callbacks } = options;
-  if (responsePayload.response) {
-    return parseJarmAuthorizationResponse({ jarmResponseJwt: responsePayload.response, callbacks });
-  }
-  const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(responsePayload);
-  const { authorizationRequest } = await callbacks.getOpenid4vpAuthorizationRequest(authorizationResponsePayload);
-  const parsedAuthRequest = parseOpenid4vpAuthorizationRequestPayload({ authorizationRequest });
-  if (parsedAuthRequest.type !== "openid4vp" && parsedAuthRequest.type !== "openid4vp_dc_api") {
-    throw new import_oauth227.Oauth2Error("Invalid authorization request. Could not parse openid4vp authorization request.");
+  const { authorizationResponse, callbacks, authorizationRequestPayload, origin } = options;
+  const expectedClientId = getClientId({ authorizationRequestPayload, origin });
+  if (authorizationResponse.response) {
+    return parseJarmAuthorizationResponse({
+      jarmResponseJwt: authorizationResponse.response,
+      callbacks,
+      authorizationRequestPayload,
+      expectedClientId
+    });
   }
-  const authorizationRequestPayload = parsedAuthRequest.params;
-  const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({
-    requestPayload: authorizationRequestPayload,
-    responsePayload: authorizationResponsePayload
+  const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(authorizationResponse);
+  const validatedOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({
+    authorizationRequestPayload,
+    authorizationResponsePayload
   });
   if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode)) {
     throw new import_oauth227.Oauth2ServerErrorResponseError(
@@ -1651,10 +1608,9 @@ async function parseOpenid4vpAuthorizationResponse(options) {
     );
   }
   return {
-    ...validateOpenId4vpResponse,
+    ...validatedOpenId4vpResponse,
     expectedNonce: authorizationRequestPayload.nonce,
     authorizationResponsePayload,
-    authorizationRequestPayload,
     jarm: void 0
   };
 }
@@ -1680,7 +1636,7 @@ var Openid4vpClient = class {
 // src/transaction-data/verify-transaction-data.ts
 var import_oauth228 = require("@openid4vc/oauth2");
-var import_utils21 = require("@openid4vc/utils");
+var import_utils22 = require("@openid4vc/utils");
 async function verifyTransactionData(options) {
   const parsedTransactionData = parseTransactionData({
     transactionData: options.transactionData
@@ -1707,7 +1663,7 @@ async function verifyTransactionDataEntry({
   );
   const hashes = {};
   for (const alg of supportedAlgs) {
-    hashes[alg] = (0, import_utils21.encodeToBase64Url)(await callbacks.hash((0, import_utils21.decodeUtf8String)(entry.encoded), alg));
+    hashes[alg] = (0, import_utils22.encodeToBase64Url)(await callbacks.hash((0, import_utils22.decodeUtf8String)(entry.encoded), alg));
   }
   for (const credentialId of entry.transactionData.credential_ids) {
     const transactionDataHashesCredential = credentials[credentialId];
@@ -1775,12 +1731,23 @@ var Openid4vpVerifier = class {
 };
 // src/models/z-credential-formats.ts
-var import_zod21 = require("zod");
-var zCredentialFormat = import_zod21.z.enum(["jwt_vc_json", "ldp_vc", "ac_vc", "mso_mdoc", "dc+sd-jwt", "vc+sd-jwt"]);
+var import_zod20 = require("zod");
+var zCredentialFormat = import_zod20.z.enum(["jwt_vc_json", "ldp_vc", "ac_vc", "mso_mdoc", "dc+sd-jwt", "vc+sd-jwt"]);
 // src/models/z-proof-formats.ts
+var import_zod21 = require("zod");
+var zProofFormat = import_zod21.z.enum(["jwt_vp_json", "ldc_vp", "ac_vp", "dc+sd-jwt", "vc+sd-jwt", "mso_mdoc"]);
+// src/models/z-wallet-metadata.ts
 var import_zod22 = require("zod");
-var zProofFormat = import_zod22.z.enum(["jwt_vp_json", "ldc_vp", "ac_vp", "dc+sd-jwt", "vc+sd-jwt", "mso_mdoc"]);
+var zWalletMetadata = import_zod22.z.object({
+  presentation_definition_uri_supported: import_zod22.z.optional(import_zod22.z.boolean()),
+  vp_formats_supported: zVpFormatsSupported,
+  client_id_schemes_supported: import_zod22.z.optional(import_zod22.z.array(zClientIdScheme)),
+  request_object_signing_alg_values_supported: import_zod22.z.optional(import_zod22.z.array(import_zod22.z.string())),
+  authorization_encryption_alg_values_supported: import_zod22.z.optional(import_zod22.z.array(import_zod22.z.string())),
+  authorization_encryption_enc_values_supported: import_zod22.z.optional(import_zod22.z.array(import_zod22.z.string()))
+});
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   Openid4vpClient,